IBM QRadar SOAR: Working with Incident Properties with Playbooks

From Wiki
Revision as of 22:14, 6 July 2025 by Ebasso (talk | contribs)

Simple playbook to close a Incident

Configuring the Playbook

Simple Property

Add or edit the Define Properties script.Provide the following code: 

x_var= {}
x_var['value'] = 'Blablabla'

playbook.addProperty('x_var', x_var)

Add or edit the Read Properties script. Provide the following code: 

valor = playbook.properties['x_var']['value']
incident.addNote("x_var = |{}| ".format(valor))

Multiple Property

Add or edit the Define Properties script.Provide the following code: 

my_vars = {
"id": 4,
"default_inc_type": "Phishing",
"username": "John Connor"
}
playbook.addProperty('my_vars', my_vars)

Add or edit the Read Properties script. Provide the following code: 

my_id = playbook.properties['my_vars']['id']
inc_type = playbook.properties['my_vars']['default_inc_type']
username = playbook.properties['my_vars']['username']

incident.addNote("my_vars:  my_id={}, inc_type:{}, username:{}    ".format(my_id, inc_type, username))

JSON

Add or edit the Define Properties script.Provide the following code: 

# Result from REST API
results = playbook.functions.results.rest_response
js_result = results.content.json

playbook.addProperty(js_result, dict)

Arrays

Add or edit the Define Properties script.Provide the following code: 

whitelist_domains = {
  "whitelist_domains": ["domain01.com", "domain02.com"]
}

playbook.addProperty('whitelist_domains', whitelist_domains)

Add or edit the Read Properties script. Provide the following code: 

def is_not_restricted(e_mail):
    whitelist_domains = playbook.properties['whitelist_domains']['whitelist_domains']
    # Split the email at '@' and get the domain part
    domain = e_mail.split('@')[-1].lower()
    return domain not in whitelist_domains


Iterator on a Loop

Add or edit the Define Properties script.Provide the following code: 

iterator = { "valor": 10 }

playbook.addProperty('iterator', iterator)

Add or edit the Read Properties script. Provide the following code:

it_var = int(playbook.properties['iterator']['valor']) - 1 iterator = { "valor": it_var } playbook.addProperty('iterator', iterator)

Ver também

Retrieved from "https://ebasso.net/wiki/index.php?title=IBM_QRadar_SOAR:_Working_with_Incident_Properties_with_Playbooks&oldid=9461"