IBM QRadar SOAR: Handling Incident Artifacts with Playbooks

From Wiki

IBM QRadar SOAR allows automated email sending through the fn_task_utils app.

This app allowing you to interact with SOAR Artifacts for use with other automations.

More details here: Task Utilities

The code is provided in my GitHub IBM QRadar Samples

Prerequisites

  • IBM QRadar SOAR configured.
  • fn_task_utils app installed.


Configuring the Playbook

In your playbook:

1) add or edit the Artifact Utils: Search Artifacts function.

Set:

  • Output Name: artifact_utils_search_result
  • incident_id: incident.id
  • artifact_include_incident_count: Yes


2) add or edit the Get Artifacts script.

Provide the following code: 

artifacts_search = playbook.functions.results.artifact_utils_search_result.get('content')

incident_artifacts = artifacts_search.get('data',[])

# Retorna o valor do artefact
def get_artifact(artifact_type):
  artifact_value = ""
  
  for artifact in incident_artifacts:
    if artifact.get('type') == artifact_type:
        artifact_value = artifact.get('value')
        break
  
  return artifact_value
  
email_rcpt = get_artifact("Email Recipient")

Ver também

Retrieved from "https://ebasso.net/wiki/index.php?title=IBM_QRadar_SOAR:_Handling_Incident_Artifacts_with_Playbooks&oldid=9381"