IBM QRadar SOAR: Working with Incident Properties with Playbooks

From Wiki
Revision as of 17:26, 16 June 2025 by Ebasso (talk | contribs) (Created page with "Simple playbook to close a Incident == Configuring the Playbook == 372x600px In your playbook: 1) add or edit the '''Define Properties''' script. Provide the following code: <nowiki> x_var= {} x_var['value'] = 'Blablabla' my_vars = { "id": 4, "default_inc_type": "Phishing", "username": "John Connor" } playbook.addProperty('x_var', x_var) playbook.addProperty('my_vars', my_vars) </nowiki> 1) add or edit the '''Define Propertie...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Simple playbook to close a Incident

Configuring the Playbook

In your playbook:

1) add or edit the Define Properties script.

Provide the following code: 

x_var= {}
x_var['value'] = 'Blablabla'


my_vars = {
"id": 4,
"default_inc_type": "Phishing",
"username": "John Connor"
}

playbook.addProperty('x_var', x_var)

playbook.addProperty('my_vars', my_vars)

1) add or edit the Define Properties script.

Provide the following code: 

valor = playbook.properties['x_var']['value']

incident.addNote("x_var = |{}| ".format(valor))

my_id = playbook.properties['my_vars']['id']
inc_type = playbook.properties['my_vars']['default_inc_type']
username = playbook.properties['my_vars']['username']

incident.addNote("my_vars:  my_id={}, inc_type:{}, username:{}    ".format(my_id, inc_type, username))

Ver também

Retrieved from "https://ebasso.net/wiki/index.php?title=IBM_QRadar_SOAR:_Working_with_Incident_Properties_with_Playbooks&oldid=9427"