IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Threat Intelligence visibility and action in automation

  • 1.  Threat Intelligence visibility and action in automation

    Posted Mon August 26, 2019 04:42 AM
      |   view attached
    When you are on a incident, you may need to view if an IOC (Artifact) match against Threat Intelligence , on the summary page. You may also need to launch automation after this match.

    2 properties fields are used:
    incident.properties.threat contains the value in rich text that show the message
    incident.properties.artifact_hit contains boolean that is change when an artifcat match a Threat Intelligence

    You can show the results of the match in you Summary section, and use the boolean field value change to yes to lauch new automation.

    Result in the summary view:



    Attached is the res file to import this configuration.
    Feel free to use, change, adapt this code to your usage.

    Building the res file:
    resilient-circuits extract --script "GUI: Artifact Threat Hit" --rule "ORG: Threat Hit All" --field "threat" "artifact_hit" -o config_Threat_HIt.res --zip

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------

    Attachment(s)

    zip
    config_Threat_HIt.res.zip   3 KB 1 version