IBM Security QRadar SOAR

All,

We've found it's pretty common to want to generate a link for a given IBM Security QRadar SOAR incident link within an in-product script.

Our use-case: when an incident is generated from another security tool we like to leave a comment on the alert / ticket in that tool that contains the link to the associated IBM Security QRadar SOAR incident.

Right now I am hardcoding the link which causes headaches when moving workflows between our test and production environments.

Does anyone have a more dynamic way of generating incident links within the in-product scripts?

Thanks,

------------------------------
Liam Mahoney
------------------------------

Hi Liam,

I don't know how to manage that from a script. From apps, we have common methods you can use from resilient-lib: build_incident_url and build_resilient_url. I've used  them like this:



------------------------------
Mark Scherfling
------------------------------

Original Message:
Sent: Thu March 17, 2022 10:35 AM
From: Liam Mahoney
Subject: Generate IBM Security QRadar SOAR Incident Link

All,

We've found it's pretty common to want to generate a link for a given IBM Security QRadar SOAR incident link within an in-product script.

Our use-case: when an incident is generated from another security tool we like to leave a comment on the alert / ticket in that tool that contains the link to the associated IBM Security QRadar SOAR incident.

Right now I am hardcoding the link which causes headaches when moving workflows between our test and production environments.

Does anyone have a more dynamic way of generating incident links within the in-product scripts?

Thanks,

------------------------------
Liam Mahoney
------------------------------

Mark,

I appreciate the response. Sounds like I'll refactor the workflows to call a function that uses the build_incident_url function before posting the note.

The documentation on the common functions is going to be a very helpful resource, thank you guys for making it!

Thanks again!


------------------------------
Liam Mahoney
------------------------------

Original Message:
Sent: Fri March 18, 2022 11:47 AM
From: Mark Scherfling
Subject: Generate IBM Security QRadar SOAR Incident Link

Hi Liam,

I don't know how to manage that from a script. From apps, we have common methods you can use from resilient-lib: build_incident_url and build_resilient_url. I've used  them like this:

url = build_incident_url(build_resilient_url(res_options.get('host'), res_options.get('port')), incidentID)



Where res_options is a dictionary of the [resilient] section from the app.config file.

You can see all the common functions documented here: https://ibmresilient.github.io/resilient-python-api/pages/resilient-lib/resilient-lib.html

Hope this helps
Mark

------------------------------
Mark Scherfling

Original Message:
Sent: Thu March 17, 2022 10:35 AM
From: Liam Mahoney
Subject: Generate IBM Security QRadar SOAR Incident Link

All,

We've found it's pretty common to want to generate a link for a given IBM Security QRadar SOAR incident link within an in-product script.

Our use-case: when an incident is generated from another security tool we like to leave a comment on the alert / ticket in that tool that contains the link to the associated IBM Security QRadar SOAR incident.

Right now I am hardcoding the link which causes headaches when moving workflows between our test and production environments.

Does anyone have a more dynamic way of generating incident links within the in-product scripts?

Thanks,

------------------------------
Liam Mahoney
------------------------------

Hi Mark

I tried the above in apps code and I'm getting an error as to res_options not defined.
Would you have any other suggestions ?

Thanks

Preetham

------------------------------
Fnu Preetham Nagesh
------------------------------

Original Message:
Sent: Fri March 18, 2022 11:47 AM
From: Mark Scherfling
Subject: Generate IBM Security QRadar SOAR Incident Link

Hi Liam,

I don't know how to manage that from a script. From apps, we have common methods you can use from resilient-lib: build_incident_url and build_resilient_url. I've used  them like this:

url = build_incident_url(build_resilient_url(res_options.get('host'), res_options.get('port')), incidentID)



Where res_options is a dictionary of the [resilient] section from the app.config file.

You can see all the common functions documented here: https://ibmresilient.github.io/resilient-python-api/pages/resilient-lib/resilient-lib.html

Hope this helps
Mark

------------------------------
Mark Scherfling

Original Message:
Sent: Thu March 17, 2022 10:35 AM
From: Liam Mahoney
Subject: Generate IBM Security QRadar SOAR Incident Link

All,

We've found it's pretty common to want to generate a link for a given IBM Security QRadar SOAR incident link within an in-product script.

Our use-case: when an incident is generated from another security tool we like to leave a comment on the alert / ticket in that tool that contains the link to the associated IBM Security QRadar SOAR incident.

Right now I am hardcoding the link which causes headaches when moving workflows between our test and production environments.

Does anyone have a more dynamic way of generating incident links within the in-product scripts?

Thanks,

------------------------------
Liam Mahoney
------------------------------

Hi Preetham,

`res_options` in my example is a variable you've already set. Depending on your code, you may need to create that variable like this:

Hope this helps.

------------------------------
Mark Scherfling
------------------------------

Original Message:
Sent: Thu March 07, 2024 05:41 PM
From: Fnu Preetham Nagesh
Subject: Generate IBM Security QRadar SOAR Incident Link

Hi Mark

I tried the above in apps code and I'm getting an error as to res_options not defined.
Would you have any other suggestions ?

Thanks

Preetham

------------------------------
Fnu Preetham Nagesh

Original Message:
Sent: Fri March 18, 2022 11:47 AM
From: Mark Scherfling
Subject: Generate IBM Security QRadar SOAR Incident Link

Hi Liam,

I don't know how to manage that from a script. From apps, we have common methods you can use from resilient-lib: build_incident_url and build_resilient_url. I've used  them like this:

url = build_incident_url(build_resilient_url(res_options.get('host'), res_options.get('port')), incidentID)



Where res_options is a dictionary of the [resilient] section from the app.config file.

You can see all the common functions documented here: https://ibmresilient.github.io/resilient-python-api/pages/resilient-lib/resilient-lib.html

Hope this helps
Mark

------------------------------
Mark Scherfling

Original Message:
Sent: Thu March 17, 2022 10:35 AM
From: Liam Mahoney
Subject: Generate IBM Security QRadar SOAR Incident Link

All,

We've found it's pretty common to want to generate a link for a given IBM Security QRadar SOAR incident link within an in-product script.

Our use-case: when an incident is generated from another security tool we like to leave a comment on the alert / ticket in that tool that contains the link to the associated IBM Security QRadar SOAR incident.

Right now I am hardcoding the link which causes headaches when moving workflows between our test and production environments.

Does anyone have a more dynamic way of generating incident links within the in-product scripts?

Thanks,

------------------------------
Liam Mahoney
------------------------------