Skip to main content

IBM Resilient Systems

This Integration is part of the IBM Resilient Systems Pack.#

Case management that enables visibility across your tools for continual IR improvement.

Configure IBM Resilient Systems on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for IBM Resilient Systems.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Server URL (e.g. 192.168.0.1)True
    CredentialsFalse
    PasswordFalse
    Organization nameTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Fetch incidentsFalse
    Incident typeFalse
    First fetch timestamp (YYYY-MM-DDTHH:MM:SSZ). For example: 2020-02-02T19:00:00ZFalse
    API key IDFalse
    API key secretFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

rs-search-incidents#


Query for incidents

Base Command#

rs-search-incidents

Input#

Argument NameDescriptionRequired
severityComma-separated list of incident severity, e.g., Low,Medium,High.Optional
date-created-beforeCreated date of the incident before the given date in the formatYYYY-MM-DDTHH:MM:SSZ, e.g., 2018-05-07T10:59:07Z.Optional
date-created-afterCreated date of the incident after the given date in the format YYYY-MM-DDTHH:MM:SSZ, e.g., 2018-05-07T10:59:07Z.Optional
date-created-within-the-lastCreated date of the incident within the last time frame (days/hours/minutes). Should be given a number, along with with the timeframe argument.Optional
timeframeTime frame to search within for incident. Should be given with within-the-last/due-in argument. Possible values: "days", "hours", "minutes". Possible values are: days, hours, minutes.Optional
date-occurred-within-the-lastOccurred date of the incident within the last time frame (days/hours/minutes). Should be given a number, along with the timeframe argument.Optional
date-occurred-beforeOccurred date of the incident before the given date in the format YYYY-MM-DDTHH:MM:SSZ, e.g., 2018-05-07T10:59:07Z.Optional
date-occurred-afterOccurred date of the incident after the given date in the format YYYY-MM-DDTHH:MM:SSZ, e.g., 2018-05-07T10:59:07Z.Optional
incident-typeIncident type. Possible values are: CommunicationError, DenialOfService, ImproperDisposal:DigitalAsset, ImproperDisposal:documents/files, LostDocuments/files/records, LostPC/laptop/tablet, LostPDA/smartphone, LostStorageDevice/media, Malware, NotAnIssue, Other, Phishing, StolenDocuments/files/records, StolenPC/laptop/tablet, StolenPDA/Smartphone, StolenStorageDevice/media, SystemIntrusion, TBD/Unknown, Vendor/3rdPartyError.Optional
nistNIST Attack Vectors. Possible values: "Attrition", "E-mail", "External/RemovableMedia", "Impersonation", "ImproperUsage", "Loss/TheftOfEquipment", "Other", "Web". Possible values are: Attrition, E-mail, External/RemovableMedia, Impersonation, ImproperUsage, Loss/TheftOfEquipment, Other, Web.Optional
statusIncident status. Possible values: "Active" and "Closed". Possible values are: Active, Closed.Optional
due-inDue date of the incident in given time frame (days/hours/minutes). Should be given a number, along with the timeframe argument.Optional

Context Output#

PathTypeDescription
Resilient.Incidents.CreateDatestringCreated date of the incident.
Resilient.Incidents.NamestringIncident name.
Resilient.Incidents.DiscoveredDatestringDiscovered date of the incident.
Resilient.Incidents.IdstringIncident ID.
Resilient.Incidents.PhasestringIncident Phase.
Resilient.Incidents.SeveritystringIncident severity.
Resilient.Incidents.DescriptionstringIncident description.

Command Example#

!rs-search-incidents

Context Example#

{
"Resilient": {
"Incidents": [
{
"CreatedDate": "2000-01-01T00:00:00Z",
"DiscoveredDate": "1970-01-01T00:00:00Z",
"Id": "1234",
"Name": "example",
"Owner": "example example",
"Phase": "Respond",
"SequenceCode": "E123-45"
},
{
"CreatedDate": "2000-01-01T00:00:00Z",
"DiscoveredDate": "1970-01-01T00:00:00Z",
"Id": "5678",
"Name": "example",
"Owner": "example example",
"Phase": "Respond",
"SequenceCode": "E678-90"
}
]
}
}

Human Readable Output#

Resilient Systems Incidents#

IdNameCreatedDateDiscoveredDateOwnerPhase
1234example2000-01-01T00:00:00Z1970-01-01T00:00:00Zexample exampleRespond
5678example2000-01-01T00:00:00Z1970-01-01T00:00:00Zexample exampleRespond

rs-update-incident#


Updates incidents.

Base Command#

rs-update-incident

Input#

Argument NameDescriptionRequired
incident-idIncident ID to update.Required
severitySeverity to update. Possible value: "Low", "Medium", and "High". Possible values are: Low, Medium, High.Optional
ownerUser full name to set as incident owner, e.g., Steve Jobs.Optional
incident-typeIncident type (added to the current incident types list). Possible values are: CommunicationError, DenialOfService, ImproperDisposal:DigitalAsset, ImproperDisposal:documents/files, LostDocuments/files/records, LostPC/laptop/tablet, LostPDA/smartphone, LostStorageDevice/media, Malware, NotAnIssue, Other, Phishing, StolenDocuments/files/records, StolenPC/laptop/tablet, StolenPDA/Smartphone, StolenStorageDevice/media, SystemIntrusion, TBD/Unknown, Vendor/3rdPartyError.Optional
resolutionIncident resolution. Possible value: "Unresolved", "Duplicate", "NotAnIssue", and "Resolved". Possible values are: Unresolved, Duplicate, NotAnIssue, Resolved.Optional
resolution-summaryIncident resolution summary.Optional
descriptionIncident description.Optional
nameIncident name.Optional
nistNIST Attack Vectors (added to the current list of NIST attack vectors). Possible values: "Attrition", "E-mail", "External/RemovableMedia", "Impersonation", "ImproperUsage", "Loss/TheftOfEquipment", "Other", "Web". Possible values are: Attrition, E-mail, External/RemovableMedia, Impersonation, ImproperUsage, Loss/TheftOfEquipment, Other, Web.Optional
other-fieldsA JSON object of the form: {field_name: new_field_value}. For example: {"description": {"textarea": {"format": "html", "content": "The new description"}}, "name": {"text": "The new name"}}. Because of API limitations we currently support only fields of the following types: ID, list of IDS, Number, Boolean, Text, Data, Textarea. In case of conflicts between the other-fields argument and the regular fields arguments, the other-fields value will be used.Optional

Context Output#

There is no context output for this command.

Command Example#

!rs-update-incident incident-id=1234 severity=High incident-type=Malware

Human Readable Output#

Incident 1234 was updated successfully.

rs-incidents-get-members#


Gets members of the incident.

Base Command#

rs-incidents-get-members

Input#

Argument NameDescriptionRequired
incident-idIncident ID to get members of.Required

Context Output#

PathTypeDescription
Resilient.Incidents.IDstringIncident ID.
Resilient.Incidents.Members.FirstNamestringMember's first name.
Resilient.Incidents.Members.LastNamestringMember's last name.
Resilient.Incidents.Members.IDnumberMember's ID.
Resilient.Incidents.Members.EmailstringMember's email address.

Command Example#

!rs-incidents-get-members incident-id=1234

Context Example#

{
"Resilient": {
"Incidents": {
"Id": "1234",
"Members": [
{
"Email": "example@example.com",
"FirstName": "example",
"ID": 1,
"LastName": "example"
}
]
}
}
}

Human Readable Output#

Members of incident 1234#

IDLastNameFirstNameEmail
1exampleexampleexample@example.com

rs-get-incident#


Gets an individual incident by ID.

Base Command#

rs-get-incident

Input#

Argument NameDescriptionRequired
incident-idID of incident to get.Required

Context Output#

PathTypeDescription
Resilient.Incidents.CreateDatestringCreated date of the incident.
Resilient.Incidents.NamestringIncident name.
Resilient.Incidents.ResolutionstringIncident resolution.
Resilient.Incidents.DiscoveredDatestringDiscovered date of the incident.
Resilient.Incidents.ResolutionSummarystringIncident resolution summary.
Resilient.Incidents.IdstringIncident ID.
Resilient.Incidents.PhasestringIncident phase.
Resilient.Incidents.SeveritystringIncident severity.
Resilient.Incidents.DescriptionstringIncident description.
Resilient.Incidents.ConfirmedbooleanIncident confirmation.
Resilient.Incidents.NegativePrbooleanWhether negative PR is likely.
Resilient.Incidents.DateOccurredstringDate incident occurred.
Resilient.Incidents.ReporterstringName of reporting individual.
Resilient.Incidents.NistAttackVectorsUnknownIncident NIST attack vectors.

Command Example#

!rs-get-incident incident-id=1234

Context Example#

{
"Resilient": {
"Incidents": {
"Confirmed": true,
"CreatedDate": "2000-01-01T00:00:00Z",
"DateOccurred": "2000-01-01T00:00:00Z",
"Description": "example",
"DiscoveredDate": "2000-01-01T00:00:00Z",
"ExposureType": "Unknown",
"Id": "1234",
"Name": "example",
"NistAttackVectors": "E-mail\n",
"Owner": "example example",
"Phase": "Engage",
"Reporter": "example example",
"Severity": "High"
}
}
}

Human Readable Output#

IBM Resilient Systems incident ID 1234#

IdNameDescriptionNistAttackVectorsPhaseResolutionResolutionSummaryOwnerCreatedDateDateOccurredDiscoveredDateDueDateNegativePrConfirmedExposureTypeSeverityReporter
1234exampleexampleE-mail
Engageexample example2000-01-01T00:00:00Z2000-01-01T00:00:00Z2000-01-01T00:00:00ZtrueUnknownHighexample example

rs-incidents-update-member#


Updates the incident's members.

Base Command#

rs-incidents-update-member

Input#

Argument NameDescriptionRequired
incident-idID of the incident for which to update its members.Required
membersA comma-separated list of members to add, e.g. 1,2,3.Required

Context Output#

There is no context output for this command.

Command Example#

!rs-incidents-update-member incident-id=1234 members=2

Context Example#

{
"Resilient": {
"Incidents": {
"Id": "1234",
"Members": {
"Email": "example@exampe.com",
"FirstName": "example",
"ID": 2,
"LastName": "example",
"members": [],
"vers": 10
}
}
}
}

Human Readable Output#

Members of incident 1234#

EmailFirstNameIDLastNamemembersvers
example@example.comexample2example10

rs-get-users#


Gets a list of all users in the system.

Base Command#

rs-get-users

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!rs-get-users

Human Readable Output#

IBM Resilient Systems Users#

IDLastNameFirstNameEmail
1exampleexampleexample@example.com
2example1example1example1@example.com

rs-close-incident#


Closes an incident.

Base Command#

rs-close-incident

Input#

Argument NameDescriptionRequired
incident-idID of the incident to close.Required

Context Output#

There is no context output for this command.

Command Example#

!rs-close-incident incident-id=1234

Human Readable Output#

Incident 1234 was closed.

rs-create-incident#


Creates an incident.

Base Command#

rs-create-incident

Input#

Argument NameDescriptionRequired
nameIncident name.Required

Context Output#

PathTypeDescription
Resilient.Incidents.IdstringIncident ID.
Resilient.Incidents.NamestringIncident name.

Command Example#

!rs-create-incident name=IncidentName

Context Example#

{
"Resilient": {
"Incidents": {
"Id": "1235",
"Name": "IncidentName"
}
}
}

Human Readable Output#

Incident IncidentName was created#

IDName
1235IncidentName

rs-incident-artifacts#


Gets incident artifacts.

Base Command#

rs-incident-artifacts

Input#

Argument NameDescriptionRequired
incident-idIncident ID to get artifacts of.Required

Context Output#

PathTypeDescription
Resilient.Incidents.IdstringIncident ID.
Resilient.Incidents.NamestringIncident name.
Resilient.Incidents.Artifacts.CreatedDatestringArtifact created date.
Resilient.Incidents.Artifacts.CreatorstringArtifact creator.
Resilient.Incidents.Artifacts.DescriptionstringArtifact description.
Resilient.Incidents.Artifacts.IDnumberArtifact ID.
Resilient.Incidents.Artifacts.TypestringArtifact type.
Resilient.Incidents.Artifacts.ValuestringArtifact value.
Resilient.Incidents.Artifacts.Attachments.ContentTypestringAttachment content type.
Resilient.Incidents.Artifacts.Attachments.CreatedDatestringAttachment created date.
Resilient.Incidents.Artifacts.Attachments.CreatorstringAttachment creator.
Resilient.Incidents.Artifacts.Attachments.IDnumberAttachment ID.
Resilient.Incidents.Artifacts.Attachments.NamestringAttachment name.
Resilient.Incidents.Artifacts.Attachments.SizenumberAttachment size.

Command Example#

!rs-incident-artifacts incident-id=1234

Context Example#

{
"Resilient": {
"Incidents": {
"Artifacts": [
{
"CreatedDate": "2000-00-00T00:00:00Z",
"Creator": "example example",
"Description": "example",
"ID": 1,
"Type": "IP Address",
"Value": "1.1.1.1"
},
{
"CreatedDate": "2000-00-00T00:00:00Z",
"Creator": "example example",
"Description": "example",
"ID": 2,
"Type": "IP Address",
"Value": "2.2.2.2"
}
],
"Id": "1234",
"Name": "example"
}
}
}

Human Readable Output#

Incident 1234 artifacts#

IDValueDescriptionCreatedDateCreator
11.1.1.1example2000-00-00T00:00:00Zexample example
22.2.2.2example2000-00-00T00:00:00Zexample example

rs-incident-attachments#


Gets incident attachments.

Base Command#

rs-incident-attachments

Input#

Argument NameDescriptionRequired
incident-idIncident ID to get attachments from.Required

Context Output#

PathTypeDescription
Resilient.Incidents.IdstringIncident ID.
Resilient.Incidents.NamestringIncident name.
Resilient.Incidents.OwnerstringIncident owner.
Resilient.Incidents.Attachments.ContentTypestringAttachment content type.
Resilient.Incidents.Attachments.CreatedDatestringAttachment created date.
Resilient.Incidents.Attachments.CreatorstringAttachment creator.
Resilient.Incidents.Attachments.IDnumberAttachment ID.
Resilient.Incidents.Attachments.NamestringAttachment name.
Resilient.Incidents.Attachments.SizenumberAttachment size.

Command Example#

!rs-incident-attachments incident-id=1234

Context Example#

{
"Resilient": {
"Incidents": {
"Attachments": [
{
"ContentType": "example",
"CreatedDate": "2000-00-00T00:00:00Z",
"Creator": "example example",
"ID": 1,
"Name": "example",
"Size": 10
}
],
"Id": "1234",
"Name": "example",
"Owner": "example example"
}
}
}

Human Readable Output#

Incident 1234 attachments#

ContentTypeCreatedDateCreatorIDNameSize
example2000-00-00T00:00:00Zexample example1example10

rs-related-incidents#


Gets related incidents.

Base Command#

rs-related-incidents

Input#

Argument NameDescriptionRequired
incident-idIncident ID to get related incidents of.Required

Context Output#

PathTypeDescription
Resilient.Incidents.IdstringIncident ID.
Resilient.Incidents.Related.CreatedDatestringCreated date of the related incident.
Resilient.Incidents.Related.NamestringName of the related incident.
Resilient.Incidents.Related.IDnumberID of the related incident.
Resilient.Incidents.Related.StatusstringStatus (Active/Closed) of the related incident.
Resilient.Incidents.Related.Artifacts.CreatedDatestringCreated date of the artifact.
Resilient.Incidents.Related.Artifacts.IDnumberID of the artifact.
Resilient.Incidents.Related.Artifacts.CreatorstringCreator of the artifact.

Command Example#

!rs-related-incidents incident-id=1234

Context Example#

{
"Resilient": {
"Incidents": {
"Id": "1234",
"Related": [
{
"Artifacts": [
{
"CreatedDate": "2000-00-00T00:00:00Z",
"Creator": "example example",
"ID": 1
},
{
"CreatedDate": "2000-00-00T00:00:00Z",
"Creator": "example example",
"Description": "example",
"ID": 2
}
],
"CreatedDate": "2000-00-00T00:00:00Z",
"ID": 1235,
"Name": "example",
"Status": "Closed"
}
]
}
}
}

Human Readable Output#

Incident 1234 related incidents#

ArtifactsCreatedDateIDNameStatus
ID: 1
Created Date: 2000-00-00T00:00:00Z
Creator: example example
ID: 2
Created Date: 2000-00-00T00:00:00Z
Description: example

Creator: example example
2000-00-00T00:00:00Z1234exampleClosed

rs-incidents-get-tasks#


Gets tasks of incidents.

Base Command#

rs-incidents-get-tasks

Input#

Argument NameDescriptionRequired
incident-idIncident ID to get tasks of.Required

Context Output#

PathTypeDescription
Resilient.Incidents.IdstringIncident ID.
Resilient.Incidents.NamestringIncident name.
Resilient.Incidents.Tasks.CategorystringTask category.
Resilient.Incidents.Tasks.CreatorstringTask creator.
Resilient.Incidents.Tasks.DueDatestringTask due date.
Resilient.Incidents.Tasks.FormstringTask form.
Resilient.Incidents.Tasks.IDstringTask ID.
Resilient.Incidents.Tasks.NamestringTask name.
Resilient.Incidents.Tasks.RequiredbooleanWhether the task is required.
Resilient.Incidents.Tasks.StatusstringTask status (Open/Closed).

Command Example#

!rs-incidents-get-tasks incident-id=1234

Context Example#

{
"Resilient": {
"Incidents": {
"Id": "1234",
"Name": "example",
"Tasks": [
{
"Category": "Respond",
"Creator": "example example",
"Form": "data_compromised, determined_date",
"ID": 1,
"Name": "example",
"Required": true,
"Status": "Open"
}
]
}
}
}

Human Readable Output#

Incident 1234 tasks#

IDNameCategoryFormStatusDueDateInstructionsUserNotesRequiredCreator
1exampleResponddata_compromised, determined_dateOpentrueexample example

rs-add-note#


Add a note to an incident.

Base Command#

rs-add-note

Input#

Argument NameDescriptionRequired
incident-idThe ID of the incident.Required
noteThe text of the note.Required

Context Output#

PathTypeDescription
Resilient.IncidentNote.typeStringThe type of the note (incident or task).
Resilient.IncidentNote.idNumberThe note's ID.
Resilient.IncidentNote.parent_idNumberThe ID of the parent note (null for top-level note)..
Resilient.IncidentNote.user_idNumberThe ID of the user who created the note.
Resilient.IncidentNote.user_fnameStringThe user's first name.
Resilient.IncidentNote.user_lnameStringThe user's last name.
Resilient.IncidentNote.textStringThe note text.
Resilient.IncidentNote.create_dateDateThe date the note was created.
Resilient.IncidentNote.modify_dateDateThe date the note was modified.
Resilient.IncidentNote.is_deletedBooleanThe flag indicating if the note is deleted. Generally, note objects are removed from the database when the user deletes them. However, if the user deletes a parent note, the parent is just marked as deleted (and its text is cleared).
Resilient.IncidentNote.modify_user.idNumberThe ID of the user who last modified the note.
Resilient.IncidentNote.modify_user.first_nameStringThe first name of the user who last modified the note.
Resilient.IncidentNote.modify_user.last_nameStringThe last name of the user who last modified the note.
Resilient.IncidentNote.inc_idNumberThe ID of the incident to which this note belongs.
Resilient.IncidentNote.inc_nameStringThe name of the incident to which this note belongs.
Resilient.IncidentNote.task_idNumberThe ID of the task to which this note belongs. Will be null on incident notes.
Resilient.IncidentNote.task_nameStringThe name of the task to which this note belongs. Will be null on incident notes.
Resilient.IncidentNote.task_customBoooleanFor a task note, whether that task is a custom task. Null for incident notes.
Resilient.IncidentNote.task_membersUnknownFor a task note, the list of that task's members, if any. Null for incident notes.
Resilient.IncidentNote.task_at_idUnknownFor a task note, whether that task is an automatic task. Null for incident notes and task notes that are not automatically generated.
Resilient.IncidentNote.inc_ownerNumberThe owner of the incident to which this note belongs.
Resilient.IncidentNote.user_nameStringThe name of the owner of the incident to which this note belongs.
Resilient.IncidentNote.modify_principal.idNumberThe ID of the principal.
Resilient.IncidentNote.modify_principal.typeStringThe type of the principal. Currently only user or group.
Resilient.IncidentNote.modify_principal.nameStringThe name of the principal.
Resilient.IncidentNote.modify_principal.display_nameStringThe display name of the principal.
Resilient.IncidentNote.comment_perms.updateBooleanWhether the current user has permission to update this note.
Resilient.IncidentNote.comment_perms.deleteBooleanWhether the current user has permission to delete this note.

Command Example#

!rs-add-note incident-id=1234 note="This is a note"

Context Example#

{
"Resilient": {
"incidentNote": {
"actions": [],
"children": [],
"comment_perms": {
"delete": true,
"update": true
},
"create_date": 1600000000000,
"id": 10,
"inc_id": 1234,
"inc_name": "example",
"inc_owner": 1,
"is_deleted": false,
"mentioned_users": [],
"modify_date": 1600000000000,
"modify_principal": {
"display_name": "example example",
"id": 1,
"name": "example@example.com",
"type": "user"
},
"modify_user": {
"first_name": "example",
"id": 1,
"last_name": "example"
},
"parent_id": null,
"task_at_id": null,
"task_custom": null,
"task_id": null,
"task_members": null,
"task_name": null,
"text": "<div>This is a note</div>",
"type": "incident",
"user_fname": "example",
"user_id": 1,
"user_lname": "example",
"user_name": "example example"
}
}
}

Human Readable Output#

The note was added successfully to incident 1234

rs-add-artifact#


Add an artifact to an incident.

Base Command#

rs-add-artifact

Input#

Argument NameDescriptionRequired
incident-idThe ID of the incident.Required
artifact-typeThe type of the artifact. Possible values are: DNS Name, Email Attachment, Email Attachment Name, Email Body, Email Recipient, Email Sender, Email Sender Name, Email Subject, File Name, File Path, HTTP Request Header, HTTP Response Header, IP Address, Log File, MAC Address, Malware Family/Variant, Malware MD5 Hash, Malware Sample, Malware Sample Fuzzy Hash, Malware SHA-1 Hash, Malware SHA-256 Hash, Mutex, Network CIDR Range, Observed Data, Other File, Password, Port, Process Name, Registry Key, RFC 822 Email Message File, Service, String, System Name, Threat CVE ID, URI Path, URL, URL Referer, User Account, User Agent, X509 Certificate File.Required
artifact-valueThe value of the artifact.Required
artifact-descriptionThe description of the artifact.Optional

Context Output#

PathTypeDescription
Resilient.IncidentArtifact.idNumberThe ID of the artifact.
Resilient.IncidentArtifact.typeNumberThe type of the artifact.
Resilient.IncidentArtifact.valueStringThe value of the artifact. For example, the IP address for an IP address artifact.
Resilient.IncidentArtifact.descriptionStringThe description of the artifact.
Resilient.IncidentArtifact.attachmentUnknownThe files attached to the artifact.
Resilient.IncidentArtifact.parent_idNumberThe parent artifact ID.
Resilient.IncidentArtifact.creator.idNumberThe ID of the artifact creator.
Resilient.IncidentArtifact.creator.fnameStringThe first name of the artifact creator.
Resilient.IncidentArtifact.creator.lnameStringThe last name of the artifact creator.
Resilient.IncidentArtifact.creator.display_nameStringThe display name of the artifact creator.
Resilient.IncidentArtifact.creator.statusStringThe status of the artifact creator.
Resilient.IncidentArtifact.creator.emailStringThe email of the artifact creator.
Resilient.IncidentArtifact.creator.phoneStringThe phone number of the artifact creator.
Resilient.IncidentArtifact.creator.cellStringThe cellphone number of the artifact creator.
Resilient.IncidentArtifact.creator.titleStringThe user's job title (e.g., Incident Response Manager).
Resilient.IncidentArtifact.creator.lockedBooleanThe status of the creator's account. (True if locked. false otherwise).
Resilient.IncidentArtifact.creator.password_changedBooleanWhether the user's password has changed. (True if changed, false otherwise).
Resilient.IncidentArtifact.creator.is_externalBooleanWhether the user's account is authenticated externally.
Resilient.IncidentArtifact.creator.ui_themeStringThe UI theme the user has selected. The Resilient UI recognizes the following values (darkmode, lightmode, verydarkmode).
Resilient.IncidentArtifact.inc_idNumberThe incident ID.
Resilient.IncidentArtifact.inc_nameStringThe incident name.
Resilient.IncidentArtifact.inc_ownerNumberThe incident owner.
Resilient.IncidentArtifact.createdDateThe date when the artifact is created.
Resilient.IncidentArtifact.last_modified_timeDateThe last date on which the artifact changed.
Resilient.IncidentArtifact.last_modified_by.idNumberThe ID of the user who last changed the artifact.
Resilient.IncidentArtifact.last_modified_by.typeStringThe type of user who last changed the artifact.
Resilient.IncidentArtifact.last_modified_by.nameStringThe name of the user who last changed the artifact.
Resilient.IncidentArtifact.last_modified_by.display_nameStringThe display name of the user who last changed the artifact.
Resilient.IncidentArtifact.perms.readBooleanWhether the current user has permission to read this artifact.
Resilient.IncidentArtifact.perms.writeBooleanWhether the current user has permission to write to this artifact.
Resilient.IncidentArtifact.perms.deleteBooleanWhether the current user has permission to delete this artifact.
Resilient.IncidentArtifact.propertiesUnknownThe additional artifact properties.
Resilient.IncidentArtifact.hashStringThe hash of the incident.
Resilient.IncidentArtifact.relatingBooleanWhether this artifact should be used for relating to other incidents. Null means use the default specified by the type. True means to always relate. False means to never relate.
Resilient.IncidentArtifact.creator_principal.idNumberThe ID of the principal.
Resilient.IncidentArtifact.creator_principal.typeStringThe type of the principal. Currently only user or group.
Resilient.IncidentArtifact.creator_principal.nameStringThe API name of the principal.
Resilient.IncidentArtifact.creator_principal.display_nameStringThe display name of the principal.
Resilient.IncidentArtifact.ip.sourceBooleanWhether the IP address is a source.
Resilient.IncidentArtifact.ip.destinationBooleanWhether the IP address is a destination.

Command Example#

!rs-add-artifact artifact-type="IP Address" artifact-value=1.1.1.1 incident-id=1234 artifact-description="This is a description"

Context Example#

{
"Resilient": {
"incidentArtifact": {
"actions": [],
"attachment": null,
"created": 1600000000000,
"creator": {
"cell": "",
"display_name": "example example",
"email": "example@example.com",
"fname": "example",
"id": 9,
"is_external": false,
"lname": "example",
"locked": false,
"password_changed": false,
"phone": "",
"status": "A",
"title": "",
"ui_theme": "darkmode"
},
"creator_principal": {
"display_name": "example example",
"id": 1,
"name": "example@example.com",
"type": "user"
},
"description": "example",
"hash": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"hits": [],
"id": 1,
"inc_id": 1234,
"inc_name": "example",
"inc_owner": 1,
"ip": {
"destination": null,
"source": null
},
"last_modified_by": {
"display_name": "example example",
"id": 1,
"name": "example@example.com",
"type": "user"
},
"last_modified_time": 1600000000000,
"parent_id": null,
"pending_sources": [],
"perms": {
"delete": true,
"read": true,
"write": true
},
"properties": null,
"relating": null,
"type": 1,
"value": "1.1.1.1"
}
}
}

Human Readable Output#

The artifact was added successfully to incident 1234