IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Setting Incident Fields with Artifacts

  • 1.  Setting Incident Fields with Artifacts

    Posted Thu December 08, 2022 01:02 AM
    Hi All, 

    We are working on a playbook. Is it possible that as soon as incident is created than a given incident field for example "Hostname" is set with a value given in artifact type as System Name. 

    Example : Given  , System Name = TEST1234
                      Result,   Hostname will be set to TEST1234

    ------------------------------
    Shubham Agarwal
    ------------------------------


  • 2.  RE: Setting Incident Fields with Artifacts

    Posted Thu December 08, 2022 08:36 AM
    Yes, this is possible with an automatic artifact playbook. The run conditions would be, IF Artifact is created AND Type is equal to System Name. This would then run a local script that would have the following code, incident.properties.hostname = artifact.value. Then the end point after the script. This playbook would run when an artifact of the type, System Name, is created and it would then set the Incident field, Hostname, to the value of that artifact. I can write up an example playbook and export it and upload it here if you would like.

    ------------------------------
    Richard Swierk
    ------------------------------