IBM QRadar SOAR: Handling Incident Tasks with Playbooks

From Wiki
Revision as of 11:36, 12 June 2025 by Ebasso (talk | contribs) (Created page with "IBM QRadar SOAR allows automated email sending through the '''fn_task_utils''' app. This app allowing you to interact with SOAR Artifacts for use with other automations. More details here: [https://ibmresilient.github.io/resilient-community-apps/fn_task_utils/README.html Task Utilities] == Prerequisites == * IBM QRadar SOAR configured. * '''fn_task_utils''' app installed. == Configuring the Playbook == In your playbook: 1) add or edit the '''Artifact Utils: Se...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

IBM QRadar SOAR allows automated email sending through the fn_task_utils app.

This app allowing you to interact with SOAR Artifacts for use with other automations.

More details here: Task Utilities

Prerequisites

  • IBM QRadar SOAR configured.
  • fn_task_utils app installed.


Configuring the Playbook

In your playbook:

1) add or edit the Artifact Utils: Search Artifacts function.

Set:

  • Output Name: artifact_utils_search_result
  • incident_id: incident.id
  • artifact_include_incident_count: Yes


2) add or edit the Get Artifacts script.

Provide the following code: 

artifacts_search = playbook.functions.results.artifact_utils_search_result.get('content')

incident_artifacts = artifacts_search.get('data',[])

# Retorna o valor do artefact
def get_artifact(artifact_type):
  artifact_value = ""
  
  for artifact in incident_artifacts:
    if artifact.get('type') == artifact_type:
        artifact_value = artifact.get('value')
        break
  
  return artifact_value
  
email_rcpt = get_artifact("Email Recipient")

Ver também

Retrieved from "https://ebasso.net/wiki/index.php?title=IBM_QRadar_SOAR:_Handling_Incident_Tasks_with_Playbooks&oldid=9389"