IBM Security QRadar SOAR

Hi All, 

We are working on building a playbook where we will be enriching artifacts like Hostname, Username, IP Address using 3rd party tools. 

If playbook is an incident activated playbook than how can we take different artifacts inside our playbook task. 

For example : 1st task inside playbook will be used for enriching Hostname. Than how do we pass only hostname inside 1st task.

------------------------------
Shubham Agarwal
------------------------------

In order to access artifact data the playbook has to an artifact activated playbook.

------------------------------
Richard Swierk
------------------------------

Original Message:
Sent: Mon December 05, 2022 12:42 PM
From: Shubham Agarwal
Subject: Updating Incident field with Artifact value

Hi All, 

We are working on building a playbook where we will be enriching artifacts like Hostname, Username, IP Address using 3rd party tools. 

If playbook is an incident activated playbook than how can we take different artifacts inside our playbook task. 

For example : 1st task inside playbook will be used for enriching Hostname. Than how do we pass only hostname inside 1st task.

------------------------------
Shubham Agarwal
------------------------------

Hi Richard, 

Thanks for your response. We tried your solution and created one artifact activated playbook. But inside the playbook each task need a different artifact. 
For example :  1st task inside playbook will be used for enriching System Name. Than how do we pass only System Name inside 1st task.
                         2nd task inside playbook will be used for enriching mac address. Than how do we pass only mac address. 

We know "artifact.value" used for taking value of an artifact inside script but how we can pass different artifact value in different tasks.

------------------------------
Shubham Agarwal
------------------------------

Original Message:
Sent: Mon December 05, 2022 02:23 PM
From: Richard Swierk
Subject: Updating Incident field with Artifact value

In order to access artifact data the playbook has to an artifact activated playbook.

------------------------------
Richard Swierk

Original Message:
Sent: Mon December 05, 2022 12:42 PM
From: Shubham Agarwal
Subject: Updating Incident field with Artifact value

Hi All, 

We are working on building a playbook where we will be enriching artifacts like Hostname, Username, IP Address using 3rd party tools. 

If playbook is an incident activated playbook than how can we take different artifacts inside our playbook task. 

For example : 1st task inside playbook will be used for enriching Hostname. Than how do we pass only hostname inside 1st task.

------------------------------
Shubham Agarwal
------------------------------

This is currently not possible from playbooks. You are only able to use the artifact that the playbook is run off of.
To enrich these artifacts using playbooks you would have to have multiple playbooks that would have an activation condition for the type of artifact it would enrich. For example, one playbook would enrich artifacts that are type System Name and another playbook would enrich artifacts that are type Mac Address.
The only way I can think of to do this all at once would be to create a new integration with a function that would enrich these fields. The function would have to make an API call to the incident on SOAR to get all the artifacts associated with that incident. It would get more data for each artifact and then make another API call updating the artifacts on SOAR.

------------------------------
Richard Swierk
------------------------------

Original Message:
Sent: Tue December 06, 2022 01:44 AM
From: Shubham Agarwal
Subject: Updating Incident field with Artifact value

Hi Richard, 

Thanks for your response. We tried your solution and created one artifact activated playbook. But inside the playbook each task need a different artifact. 
For example :  1st task inside playbook will be used for enriching System Name. Than how do we pass only System Name inside 1st task.
                         2nd task inside playbook will be used for enriching mac address. Than how do we pass only mac address. 

We know "artifact.value" used for taking value of an artifact inside script but how we can pass different artifact value in different tasks.

------------------------------
Shubham Agarwal

Original Message:
Sent: Mon December 05, 2022 02:23 PM
From: Richard Swierk
Subject: Updating Incident field with Artifact value

In order to access artifact data the playbook has to an artifact activated playbook.

------------------------------
Richard Swierk

Original Message:
Sent: Mon December 05, 2022 12:42 PM
From: Shubham Agarwal
Subject: Updating Incident field with Artifact value

Hi All, 

We are working on building a playbook where we will be enriching artifacts like Hostname, Username, IP Address using 3rd party tools. 

If playbook is an incident activated playbook than how can we take different artifacts inside our playbook task. 

For example : 1st task inside playbook will be used for enriching Hostname. Than how do we pass only hostname inside 1st task.

------------------------------
Shubham Agarwal
------------------------------

Would you try artifact activated playbook, and leverage a condition point which uses artifact type to determine different paths. Or if your enrichment function can handle different artifact types, you pass both artifact.type and artifact.value as function input?

------------------------------
Leo Kuo
------------------------------

Original Message:
Sent: Tue December 06, 2022 01:44 AM
From: Shubham Agarwal
Subject: Updating Incident field with Artifact value

Hi Richard, 

Thanks for your response. We tried your solution and created one artifact activated playbook. But inside the playbook each task need a different artifact. 
For example :  1st task inside playbook will be used for enriching System Name. Than how do we pass only System Name inside 1st task.
                         2nd task inside playbook will be used for enriching mac address. Than how do we pass only mac address. 

We know "artifact.value" used for taking value of an artifact inside script but how we can pass different artifact value in different tasks.

------------------------------
Shubham Agarwal

Original Message:
Sent: Mon December 05, 2022 02:23 PM
From: Richard Swierk
Subject: Updating Incident field with Artifact value

In order to access artifact data the playbook has to an artifact activated playbook.

------------------------------
Richard Swierk

Original Message:
Sent: Mon December 05, 2022 12:42 PM
From: Shubham Agarwal
Subject: Updating Incident field with Artifact value

Hi All, 

We are working on building a playbook where we will be enriching artifacts like Hostname, Username, IP Address using 3rd party tools. 

If playbook is an incident activated playbook than how can we take different artifacts inside our playbook task. 

For example : 1st task inside playbook will be used for enriching Hostname. Than how do we pass only hostname inside 1st task.

------------------------------
Shubham Agarwal
------------------------------