Skip to main content

IBM Security QRadar SOAR

This Integration is part of the IBM Security QRadar SOAR Pack.#

Case management that enables visibility across your tools for continual IR improvement.

Configure IBM Resilient Systems in Cortex#

ParameterDescriptionRequired
Server URL (e.g. 192.168.0.1)True
Organization nameTrue
API key IDFalse
API key secretFalse
API key IDTrue
API key secretTrue
Credentials (Deprecated - use API Key authentication instead)False
PasswordFalse
Trust any certificate (not secure)False
Use system proxy settingsFalse
Incident typeFalse
Fetch incidentsFalse
Fetch closed incidentsFalse
Fetch notes
Fetch tasks
First fetch timestamp (YYYY-MM-DDTHH:MM:SSZ). For example: 2020-02-02T19:00:00ZTrue
Maximum incidents to fetch.Maximum number of incidents per fetch. The maximum is 1000.False
Incident Mirroring DirectionFalse
Close Mirrored XSOAR IncidentsWhen selected, closing the IBM Resilient incident with a 'Closed' status, will close the Cortex XSOAR incident.False
Close Mirrored IBM Resilient IncidentsWhen selected, closing the Cortex XSOAR incident will close the incident in IBM Resilient.False
Tag from IBM Qradar SOARAdd this tag to an entry to mirror it from IBM Qradar SOAR.False
Tag to IBM QRadar SOARAdd this tag to an entry to mirror it to IBM Qradar SOAR.False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

rs-search-incidents#


Query for incidents

Base Command#

rs-search-incidents

Input#

Argument NameDescriptionRequired
pageIndicates the starting point for the first record in the dataset. Starting from 1.Optional
page_sizeThe maximum number of records to return in the response. Null or less than 1 to return all records, up to the server-configured maximum limit. When greater than 0, an error will be thrown if the length is greater than the server-configured maximum limit.Optional
limitMaximum number of incidents to retrieve. Default is 1000.Optional
severityComma-separated list of incident severity, e.g., Low,Medium,High.Optional
date-created-beforeCreated date of the incident before the given date in the format YYYY-MM-DDTHH:MM:SSZ, e.g., 2018-05-07T10:59:07Z.Optional
date-created-afterCreated date of the incident after the given date in the format YYYY-MM-DDTHH:MM:SSZ, e.g., 2018-05-07T10:59:07Z.Optional
date-created-within-the-lastCreated date of the incident within the last timeframe (days/hours/minutes). Should be given a number, along with the timeframe argument.Optional
timeframeTimeframe to search within for incident. Should be given with within-the-last/due-in argument. Possible values: "days", "hours", "minutes". Possible values are: days, hours, minutes.Optional
date-occurred-within-the-lastOccurred date of the incident within the last timeframe (days/hours/minutes). Should be given a number, along with the timeframe argument.Optional
date-occurred-beforeOccurred date of the incident before the given date in the format YYYY-MM-DDTHH:MM:SSZ, e.g., 2018-05-07T10:59:07Z.Optional
date-occurred-afterOccurred date of the incident after the given date in the format YYYY-MM-DDTHH:MM:SSZ, e.g., 2018-05-07T10:59:07Z.Optional
incident-typeIncident type. Possible values are: CommunicationError, DenialOfService, ImproperDisposal:DigitalAsset, ImproperDisposal:documents/files, LostDocuments/files/records, LostPC/laptop/tablet, LostPDA/smartphone, LostStorageDevice/media, Malware, NotAnIssue, Other, Phishing, StolenDocuments/files/records, StolenPC/laptop/tablet, StolenPDA/Smartphone, StolenStorageDevice/media, SystemIntrusion, TBD/Unknown, Vendor/3rdPartyError.Optional
nistNIST Attack Vectors. Possible values: "Attrition", "E-mail", "External/RemovableMedia", "Impersonation", "ImproperUsage", "Loss/TheftOfEquipment", "Other", "Web". Possible values are: Attrition, E-mail, External/RemovableMedia, Impersonation, ImproperUsage, Loss/TheftOfEquipment, Other, Web.Optional
statusIncident status. Possible values: "Active" and "Closed". Possible values are: Active, Closed.Optional
due-inDue date of the incident in given timeframe (days/hours/minutes). Should be given a number, along with the timeframe argument.Optional
return_levelThe incident data structure returned ("partial", "normal", "full").'. Possible values are: partial, normal, full.Optional

Context Output#

PathTypeDescription
Resilient.Incidents.CreateDatestringCreated date of the incident.
Resilient.Incidents.NamestringIncident name.
Resilient.Incidents.ResolutionstringIncident resolution.
Resilient.Incidents.DiscoveredDatestringDiscovered date of the incident.
Resilient.Incidents.ResolutionSummarystringIncident resolution summary.
Resilient.Incidents.IdstringIncident ID.
Resilient.Incidents.PhasestringIncident phase.
Resilient.Incidents.PlanStatusstringIncident status.
Resilient.Incidents.SeveritystringIncident severity.
Resilient.Incidents.DescriptionstringIncident description.
Resilient.Incidents.ConfirmedbooleanIncident confirmation.
Resilient.Incidents.NegativePrbooleanWhether negative PR is likely.
Resilient.Incidents.DateOccurredstringDate incident occurred.
Resilient.Incidents.ReporterstringName of reporting individual.
Resilient.Incidents.NistAttackVectorsUnknownIncident NIST attack vectors.
Resilient.Incidents.ExposureTypestringIncident exposure type.
Resilient.Incidents.ResolutionSummarystringIncident resolution summary.

rs-update-incident#


Updates incidents.

Base Command#

rs-update-incident

Input#

Argument NameDescriptionRequired
incident-idIncident ID to update.Required
severitySeverity to update. Possible value: "Low", "Medium", and "High". Possible values are: Low, Medium, High.Optional
ownerUser full name to set as incident owner, e.g., Steve Jobs.Optional
incident-typeIncident type (added to the current incident types list). Possible values are: CommunicationError, DenialOfService, ImproperDisposal:DigitalAsset, ImproperDisposal:documents/files, LostDocuments/files/records, LostPC/laptop/tablet, LostPDA/smartphone, LostStorageDevice/media, Malware, NotAnIssue, Other, Phishing, StolenDocuments/files/records, StolenPC/laptop/tablet, StolenPDA/Smartphone, StolenStorageDevice/media, SystemIntrusion, TBD/Unknown, Vendor/3rdPartyError.Optional
resolutionIncident resolution. Possible value: "Unresolved", "Duplicate", "NotAnIssue", and "Resolved". Possible values are: Unresolved, Duplicate, NotAnIssue, Resolved.Optional
resolution-summaryIncident resolution summary.Optional
descriptionIncident description.Optional
nameIncident name.Optional
nistNIST Attack Vectors (added to the current list of NIST attack vectors). Possible values: "Attrition", "E-mail", "External/RemovableMedia", "Impersonation", "ImproperUsage", "Loss/TheftOfEquipment", "Other", "Web". Possible values are: Attrition, E-mail, External/RemovableMedia, Impersonation, ImproperUsage, Loss/TheftOfEquipment, Other, Web.Optional
other-fieldsA JSON object of the form: {field_name: new_field_value}. For example: {"description": {"textarea": {"format": "html", "content": "The new description"}}, "name": {"text": "The new name"}}. The name should be the path to it in the incident separated by "." For example: `{"properties.incident_summary": {"text": "The new name"}}". Because of API limitations we currently support only fields of the following types: ID, list of IDS, Number, Boolean, Text, Data, Textarea. For more information, refer to https://xsoar.pan.dev/docs/reference/integrations/ibm-resilient-systems. In case of conflicts between the other-fields argument and the regular fields arguments, the other-fields value will be used.Optional

Context Output#

There is no context output for this command.

Command Example#

!rs-update-incident incident-id=1234 severity=High incident-type=Malware

Human Readable Output#

Incident 1234 was updated successfully.

rs-incidents-get-members#


Gets members of the incident.

Base Command#

rs-incidents-get-members

Input#

Argument NameDescriptionRequired
incident-idIncident ID to get members of.Required

Context Output#

PathTypeDescription
Resilient.Incidents.IDstringIncident ID.
Resilient.Incidents.Members.FirstNamestringMember's first name.
Resilient.Incidents.Members.LastNamestringMember's last name.
Resilient.Incidents.Members.IDnumberMember's ID.
Resilient.Incidents.Members.EmailstringMember's email address.

Command Example#

!rs-incidents-get-members incident-id=1234

Context Example#

{
"Resilient": {
"Incidents": {
"Id": "1234",
"Members": [
{
"Email": "example@example.com",
"FirstName": "example",
"ID": 1,
"LastName": "example"
}
]
}
}
}

Human Readable Output#

Members of incident 1234#

IDLastNameFirstNameEmail
1exampleexampleexample@example.com

rs-get-incident#


Gets an individual incident by ID.

Base Command#

rs-get-incident

Input#

Argument NameDescriptionRequired
incident-idID of incident to get.Required

Context Output#

PathTypeDescription
Resilient.Incidents.CreateDatestringCreated date of the incident.
Resilient.Incidents.NamestringIncident name.
Resilient.Incidents.ResolutionstringIncident resolution.
Resilient.Incidents.DiscoveredDatestringDiscovered date of the incident.
Resilient.Incidents.ResolutionSummarystringIncident resolution summary.
Resilient.Incidents.IdstringIncident ID.
Resilient.Incidents.PhasestringIncident phase.
Resilient.Incidents.PlanStatusstringIncident status.
Resilient.Incidents.SeveritystringIncident severity.
Resilient.Incidents.DescriptionstringIncident description.
Resilient.Incidents.ConfirmedbooleanIncident confirmation.
Resilient.Incidents.NegativePrbooleanWhether negative PR is likely.
Resilient.Incidents.DateOccurredstringDate incident occurred.
Resilient.Incidents.ReporterstringName of reporting individual.
Resilient.Incidents.NistAttackVectorsUnknownIncident NIST attack vectors.
Resilient.Incidents.ExposureTypestringIncident exposure type.

rs-get-incident#


Gets an individual incident by ID.

Base Command#

rs-get-incident

Input#

Argument NameDescriptionRequired
incident-idID of incident to get.Required

Context Output#

PathTypeDescription
Resilient.Incidents.CreateDatestringCreated date of the incident.
Resilient.Incidents.NamestringIncident name.
Resilient.Incidents.ResolutionstringIncident resolution.
Resilient.Incidents.DiscoveredDatestringDiscovered date of the incident.
Resilient.Incidents.ResolutionSummarystringIncident resolution summary.
Resilient.Incidents.IdstringIncident ID.
Resilient.Incidents.PhasestringIncident phase.
Resilient.Incidents.PlanStatusstringIncident status.
Resilient.Incidents.SeveritystringIncident severity.
Resilient.Incidents.DescriptionstringIncident description.
Resilient.Incidents.ConfirmedbooleanIncident confirmation.
Resilient.Incidents.NegativePrbooleanWhether negative PR is likely.
Resilient.Incidents.DateOccurredstringDate incident occurred.
Resilient.Incidents.ReporterstringName of reporting individual.
Resilient.Incidents.NistAttackVectorsUnknownIncident NIST attack vectors.
Resilient.Incidents.ExposureTypestringIncident exposure type.
Resilient.Incidents.ResolutionSummarystringIncident resolution summary.
"Incidents": {
"Id": "1234",
"Members": {
"Email": "example@exampe.com",
"FirstName": "example",
"ID": 2,
"LastName": "example",
"members": [],
"vers": 10
}
}
}

}

#### Human Readable Output
>### Members of incident 1234
>|Email|FirstName|ID|LastName|members|vers|
>|---|---|---|---|---|---|
>| example@example.com | example | 2 | example | | 10 |
### rs-get-users
***
Gets a list of all users in the system.
#### Base Command
`rs-get-users`
#### Input
There are no input arguments for this command.
#### Context Output
There is no context output for this command.
#### Command Example
```!rs-get-users```
#### Human Readable Output
>### IBM Resilient Systems Users
>|ID|LastName|FirstName|Email|
>|---|---|---|---|
>| 1 | example | example | example@example.com |
>| 2 | example1 | example1 | example1@example.com |
### rs-close-incident
***
Closes an incident.
#### Base Command
`rs-close-incident`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| incident-id | ID of the incident to close. | Required |
#### Context Output
There is no context output for this command.
#### Command Example
```!rs-close-incident incident-id=1234```
#### Human Readable Output
>Incident 1234 was closed.
### rs-create-incident
***
Creates an incident.
#### Base Command
`rs-create-incident`
#### Input
| **Argument Name** | **Description** | **Required** |
| --- | --- | --- |
| name | Incident name. | Required |
#### Context Output
| **Path** | **Type** | **Description** |
| --- | --- | --- |
| Resilient.Incidents.Id | string | Incident ID. |
| Resilient.Incidents.Name | string | Incident name. |
#### Command Example
```!rs-create-incident name=IncidentName```
#### Context Example
```json
{
"Resilient": {
"Incidents": {
"Id": "1235",
"Name": "IncidentName"
}
}
}

Human Readable Output#

Incident IncidentName was created#

IDName
1235IncidentName

rs-incident-artifacts#


Gets incident artifacts.

Base Command#

rs-incident-artifacts

Input#

Argument NameDescriptionRequired
incident-idIncident ID to get artifacts of.Required

Context Output#

PathTypeDescription
Resilient.Incidents.IdstringIncident ID.
Resilient.Incidents.NamestringIncident name.
Resilient.Incidents.Artifacts.CreatedDatestringArtifact created date.
Resilient.Incidents.Artifacts.CreatorstringArtifact creator.
Resilient.Incidents.Artifacts.DescriptionstringArtifact description.
Resilient.Incidents.Artifacts.IDnumberArtifact ID.
Resilient.Incidents.Artifacts.TypestringArtifact type.
Resilient.Incidents.Artifacts.ValuestringArtifact value.
Resilient.Incidents.Artifacts.Attachments.ContentTypestringAttachment content type.
Resilient.Incidents.Artifacts.Attachments.CreatedDatestringAttachment created date.
Resilient.Incidents.Artifacts.Attachments.CreatorstringAttachment creator.
Resilient.Incidents.Artifacts.Attachments.IDnumberAttachment ID.
Resilient.Incidents.Artifacts.Attachments.NamestringAttachment name.
Resilient.Incidents.Artifacts.Attachments.SizenumberAttachment size.

Command Example#

!rs-incident-artifacts incident-id=1234

Context Example#

{
"Resilient": {
"Incidents": {
"Artifacts": [
{
"CreatedDate": "2000-00-00T00:00:00Z",
"Creator": "example example",
"Description": "example",
"ID": 1,
"Type": "IP Address",
"Value": "1.1.1.1"
},
{
"CreatedDate": "2000-00-00T00:00:00Z",
"Creator": "example example",
"Description": "example",
"ID": 2,
"Type": "IP Address",
"Value": "2.2.2.2"
}
],
"Id": "1234",
"Name": "example"
}
}
}

Human Readable Output#

Incident 1234 artifacts#

IDValueDescriptionCreatedDateCreator
11.1.1.1example2000-00-00T00:00:00Zexample example
22.2.2.2example2000-00-00T00:00:00Zexample example

rs-incident-attachments#


Gets incident attachments.

Base Command#

rs-incident-attachments

Input#

Argument NameDescriptionRequired
incident-idIncident ID to get attachments from.Required

Context Output#

PathTypeDescription
Resilient.Incidents.IdstringIncident ID.
Resilient.Incidents.NamestringIncident name.
Resilient.Incidents.OwnerstringIncident owner.
Resilient.Incidents.Attachments.ContentTypestringAttachment content type.
Resilient.Incidents.Attachments.CreatedDatestringAttachment created date.
Resilient.Incidents.Attachments.CreatorstringAttachment creator.
Resilient.Incidents.Attachments.IDnumberAttachment ID.
Resilient.Incidents.Attachments.NamestringAttachment name.
Resilient.Incidents.Attachments.SizenumberAttachment size.

Command Example#

!rs-incident-attachments incident-id=1234

Context Example#

{
"Resilient": {
"Incidents": {
"Attachments": [
{
"ContentType": "example",
"CreatedDate": "2000-00-00T00:00:00Z",
"Creator": "example example",
"ID": 1,
"Name": "example",
"Size": 10
}
],
"Id": "1234",
"Name": "example",
"Owner": "example example"
}
}
}

Human Readable Output#

Incident 1234 attachments#

ContentTypeCreatedDateCreatorIDNameSize
example2000-00-00T00:00:00Zexample example1example10

rs-related-incidents#


Gets related incidents.

Base Command#

rs-related-incidents

Input#

Argument NameDescriptionRequired
incident-idIncident ID to get related incidents of.Required

Context Output#

PathTypeDescription
Resilient.Incidents.IdstringIncident ID.
Resilient.Incidents.Related.CreatedDatestringCreated date of the related incident.
Resilient.Incidents.Related.NamestringName of the related incident.
Resilient.Incidents.Related.IDnumberID of the related incident.
Resilient.Incidents.Related.StatusstringStatus (Active/Closed) of the related incident.
Resilient.Incidents.Related.Artifacts.CreatedDatestringCreated date of the artifact.
Resilient.Incidents.Related.Artifacts.IDnumberID of the artifact.
Resilient.Incidents.Related.Artifacts.CreatorstringCreator of the artifact.

Command Example#

!rs-related-incidents incident-id=1234

Context Example#

{
"Resilient": {
"Incidents": {
"Id": "1234",
"Related": [
{
"Artifacts": [
{
"CreatedDate": "2000-00-00T00:00:00Z",
"Creator": "example example",
"ID": 1
},
{
"CreatedDate": "2000-00-00T00:00:00Z",
"Creator": "example example",
"Description": "example",
"ID": 2
}
],
"CreatedDate": "2000-00-00T00:00:00Z",
"ID": 1235,
"Name": "example",
"Status": "Closed"
}
]
}
}
}

Human Readable Output#

Incident 1234 related incidents#

ArtifactsCreatedDateIDNameStatus
ID: 1
Created Date: 2000-00-00T00:00:00Z
Creator: example example
ID: 2
Created Date: 2000-00-00T00:00:00Z
Description: example

Creator: example example
2000-00-00T00:00:00Z1234exampleClosed

rs-incidents-get-tasks#


Gets tasks of incidents.

Base Command#

rs-incidents-get-tasks

Input#

Argument NameDescriptionRequired
incident-idIncident ID to get tasks of.Required

Context Output#

PathTypeDescription
Resilient.Incidents.IdstringIncident ID.
Resilient.Incidents.NamestringIncident name.
Resilient.Incidents.Tasks.CategorystringTask category.
Resilient.Incidents.Tasks.CreatorstringTask creator.
Resilient.Incidents.Tasks.DueDatestringTask due date.
Resilient.Incidents.Tasks.FormstringTask form.
Resilient.Incidents.Tasks.IDstringTask ID.
Resilient.Incidents.Tasks.NamestringTask name.
Resilient.Incidents.Tasks.RequiredbooleanWhether the task is required.
Resilient.Incidents.Tasks.StatusstringTask status (Open/Closed).

Command Example#

!rs-incidents-get-tasks incident-id=1234

Context Example#

{
"Resilient": {
"Incidents": {
"Id": "1234",
"Name": "example",
"Tasks": [
{
"Category": "Respond",
"Creator": "example example",
"Form": "data_compromised, determined_date",
"ID": 1,
"Name": "example",
"Required": true,
"Status": "Open"
}
]
}
}
}

Human Readable Output#

Incident 1234 tasks#

IDNameCategoryFormStatusDueDateInstructionsUserNotesRequiredCreator
1exampleResponddata_compromised, determined_dateOpentrueexample example

rs-add-note#


Add a note to an incident.

Base Command#

rs-add-note

Input#

Argument NameDescriptionRequired
incident-idThe ID of the incident.Required
noteThe text of the note.Required

Context Output#

PathTypeDescription
Resilient.IncidentNote.typeStringThe type of the note (incident or task).
Resilient.IncidentNote.idNumberThe note's ID.
Resilient.IncidentNote.parent_idNumberThe ID of the parent note (null for top-level note)..
Resilient.IncidentNote.user_idNumberThe ID of the user who created the note.
Resilient.IncidentNote.user_fnameStringThe user's first name.
Resilient.IncidentNote.user_lnameStringThe user's last name.
Resilient.IncidentNote.textStringThe note text.
Resilient.IncidentNote.create_dateDateThe date the note was created.
Resilient.IncidentNote.modify_dateDateThe date the note was modified.
Resilient.IncidentNote.is_deletedBooleanThe flag indicating if the note is deleted. Generally, note objects are removed from the database when the user deletes them. However, if the user deletes a parent note, the parent is just marked as deleted (and its text is cleared).
Resilient.IncidentNote.modify_user.idNumberThe ID of the user who last modified the note.
Resilient.IncidentNote.modify_user.first_nameStringThe first name of the user who last modified the note.
Resilient.IncidentNote.modify_user.last_nameStringThe last name of the user who last modified the note.
Resilient.IncidentNote.inc_idNumberThe ID of the incident to which this note belongs.
Resilient.IncidentNote.inc_nameStringThe name of the incident to which this note belongs.
Resilient.IncidentNote.task_idNumberThe ID of the task to which this note belongs. Will be null on incident notes.
Resilient.IncidentNote.task_nameStringThe name of the task to which this note belongs. Will be null on incident notes.
Resilient.IncidentNote.task_customBoooleanFor a task note, whether that task is a custom task. Null for incident notes.
Resilient.IncidentNote.task_membersUnknownFor a task note, the list of that task's members, if any. Null for incident notes.
Resilient.IncidentNote.task_at_idUnknownFor a task note, whether that task is an automatic task. Null for incident notes and task notes that are not automatically generated.
Resilient.IncidentNote.inc_ownerNumberThe owner of the incident to which this note belongs.
Resilient.IncidentNote.user_nameStringThe name of the owner of the incident to which this note belongs.
Resilient.IncidentNote.modify_principal.idNumberThe ID of the principal.
Resilient.IncidentNote.modify_principal.typeStringThe type of the principal. Currently only user or group.
Resilient.IncidentNote.modify_principal.nameStringThe name of the principal.
Resilient.IncidentNote.modify_principal.display_nameStringThe display name of the principal.
Resilient.IncidentNote.comment_perms.updateBooleanWhether the current user has permission to update this note.
Resilient.IncidentNote.comment_perms.deleteBooleanWhether the current user has permission to delete this note.

Command Example#

!rs-add-note incident-id=1234 note="This is a note"

Context Example#

{
"Resilient": {
"incidentNote": {
"actions": [],
"children": [],
"comment_perms": {
"delete": true,
"update": true
},
"create_date": 1600000000000,
"id": 10,
"inc_id": 1234,
"inc_name": "example",
"inc_owner": 1,
"is_deleted": false,
"mentioned_users": [],
"modify_date": 1600000000000,
"modify_principal": {
"display_name": "example example",
"id": 1,
"name": "example@example.com",
"type": "user"
},
"modify_user": {
"first_name": "example",
"id": 1,
"last_name": "example"
},
"parent_id": null,
"task_at_id": null,
"task_custom": null,
"task_id": null,
"task_members": null,
"task_name": null,
"text": "<div>This is a note</div>",
"type": "incident",
"user_fname": "example",
"user_id": 1,
"user_lname": "example",
"user_name": "example example"
}
}
}

Human Readable Output#

The note was added successfully to incident 1234

rs-add-artifact#


Add an artifact to an incident.

Base Command#

rs-add-artifact

Input#

Argument NameDescriptionRequired
incident-idThe ID of the incident.Required
artifact-typeThe type of the artifact. Possible values are: DNS Name, Email Attachment, Email Attachment Name, Email Body, Email Recipient, Email Sender, Email Sender Name, Email Subject, File Name, File Path, HTTP Request Header, HTTP Response Header, IP Address, Log File, MAC Address, Malware Family/Variant, Malware MD5 Hash, Malware Sample, Malware Sample Fuzzy Hash, Malware SHA-1 Hash, Malware SHA-256 Hash, Mutex, Network CIDR Range, Observed Data, Other File, Password, Port, Process Name, Registry Key, RFC 822 Email Message File, Service, String, System Name, Threat CVE ID, URI Path, URL, URL Referer, User Account, User Agent, X509 Certificate File.Required
artifact-valueThe value of the artifact.Required
artifact-descriptionThe description of the artifact.Optional

Context Output#

PathTypeDescription
Resilient.IncidentArtifact.idNumberThe ID of the artifact.
Resilient.IncidentArtifact.typeNumberThe type of the artifact.
Resilient.IncidentArtifact.valueStringThe value of the artifact. For example, the IP address for an IP address artifact.
Resilient.IncidentArtifact.descriptionStringThe description of the artifact.
Resilient.IncidentArtifact.attachmentUnknownThe files attached to the artifact.
Resilient.IncidentArtifact.parent_idNumberThe parent artifact ID.
Resilient.IncidentArtifact.creator.idNumberThe ID of the artifact creator.
Resilient.IncidentArtifact.creator.fnameStringThe first name of the artifact creator.
Resilient.IncidentArtifact.creator.lnameStringThe last name of the artifact creator.
Resilient.IncidentArtifact.creator.display_nameStringThe display name of the artifact creator.
Resilient.IncidentArtifact.creator.statusStringThe status of the artifact creator.
Resilient.IncidentArtifact.creator.emailStringThe email of the artifact creator.
Resilient.IncidentArtifact.creator.phoneStringThe phone number of the artifact creator.
Resilient.IncidentArtifact.creator.cellStringThe cellphone number of the artifact creator.
Resilient.IncidentArtifact.creator.titleStringThe user's job title (e.g., Incident Response Manager).
Resilient.IncidentArtifact.creator.lockedBooleanThe status of the creator's account. (True if locked. false otherwise).
Resilient.IncidentArtifact.creator.password_changedBooleanWhether the user's password has changed. (True if changed, false otherwise).
Resilient.IncidentArtifact.creator.is_externalBooleanWhether the user's account is authenticated externally.
Resilient.IncidentArtifact.creator.ui_themeStringThe UI theme the user has selected. The Resilient UI recognizes the following values (darkmode, lightmode, verydarkmode).
Resilient.IncidentArtifact.inc_idNumberThe incident ID.
Resilient.IncidentArtifact.inc_nameStringThe incident name.
Resilient.IncidentArtifact.inc_ownerNumberThe incident owner.
Resilient.IncidentArtifact.createdDateThe date when the artifact is created.
Resilient.IncidentArtifact.last_modified_timeDateThe last date on which the artifact changed.
Resilient.IncidentArtifact.last_modified_by.idNumberThe ID of the user who last changed the artifact.
Resilient.IncidentArtifact.last_modified_by.typeStringThe type of user who last changed the artifact.
Resilient.IncidentArtifact.last_modified_by.nameStringThe name of the user who last changed the artifact.
Resilient.IncidentArtifact.last_modified_by.display_nameStringThe display name of the user who last changed the artifact.
Resilient.IncidentArtifact.perms.readBooleanWhether the current user has permission to read this artifact.
Resilient.IncidentArtifact.perms.writeBooleanWhether the current user has permission to write to this artifact.
Resilient.IncidentArtifact.perms.deleteBooleanWhether the current user has permission to delete this artifact.
Resilient.IncidentArtifact.propertiesUnknownThe additional artifact properties.
Resilient.IncidentArtifact.hashStringThe hash of the incident.
Resilient.IncidentArtifact.relatingBooleanWhether this artifact should be used for relating to other incidents. Null means use the default specified by the type. True means to always relate. False means to never relate.
Resilient.IncidentArtifact.creator_principal.idNumberThe ID of the principal.
Resilient.IncidentArtifact.creator_principal.typeStringThe type of the principal. Currently only user or group.
Resilient.IncidentArtifact.creator_principal.nameStringThe API name of the principal.
Resilient.IncidentArtifact.creator_principal.display_nameStringThe display name of the principal.
Resilient.IncidentArtifact.ip.sourceBooleanWhether the IP address is a source.
Resilient.IncidentArtifact.ip.destinationBooleanWhether the IP address is a destination.

Command Example#

!rs-add-artifact artifact-type="IP Address" artifact-value=1.1.1.1 incident-id=1234 artifact-description="This is a description"

Context Example#

{
"Resilient": {
"incidentArtifact": {
"actions": [],
"attachment": null,
"created": 1600000000000,
"creator": {
"cell": "",
"display_name": "example example",
"email": "example@example.com",
"fname": "example",
"id": 9,
"is_external": false,
"lname": "example",
"locked": false,
"password_changed": false,
"phone": "",
"status": "A",
"title": "",
"ui_theme": "darkmode"
},
"creator_principal": {
"display_name": "example example",
"id": 1,
"name": "example@example.com",
"type": "user"
},
"description": "example",
"hash": "aaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
"hits": [],
"id": 1,
"inc_id": 1234,
"inc_name": "example",
"inc_owner": 1,
"ip": {
"destination": null,
"source": null
},
"last_modified_by": {
"display_name": "example example",
"id": 1,
"name": "example@example.com",
"type": "user"
},
"last_modified_time": 1600000000000,
"parent_id": null,
"pending_sources": [],
"perms": {
"delete": true,
"read": true,
"write": true
},
"properties": null,
"relating": null,
"type": 1,
"value": "1.1.1.1"
}
}
}

Human Readable Output#

The artifact was added successfully to incident 1234

rs-delete-incidents#


Delete multiple incidents.

Base Command#

rs-delete-incidents

Input#

Argument NameDescriptionRequired
incident_idsA comma-separated list of incident IDs to be deleted.Required

Context Output#

There is no context output for this command.

rs-list-incident-notes#


Gets all of the top-level comments for an incident.

Base Command#

rs-list-incident-notes

Input#

Argument NameDescriptionRequired
incident_idIncident ID to update.Required

Context Output#

PathTypeDescription
Resilient.IncidentNoteDictionaryTop-level comments for incident.

rs-update-task#


Update an incident's task fields.

Base Command#

rs-update-task

Input#

Argument NameDescriptionRequired
task_idID of task to update.Required
nameTask name. Technically required, copy original task name if no changes are desired.Required
owner_idUser ID of the new owner.Optional
due_dateTask due date in ISO format e.g,. "2020-02-02T19:00:00Z. Empty date indicates that the task has no assigned due date.Optional
phaseThe phase to which this task belongs. Possible values are: Initial, Engage, Detect/Analyze, Respond, Post-Incident, Custom, Complete.Optional
statusChanging the status field, completes or re-openes the task. Possible values are: Open, Completed.Optional

Context Output#

There is no context output for this command.

rs-add-custom-task#


Adds a custom task to the specified incident.

Base Command#

rs-add-custom-task

Input#

Argument NameDescriptionRequired
incident_idID of incident to add a task to.Required
nameTask name.Required
descriptionTask description.Required
instructionsTextual instructions for the task. This will override the default instructions for the task.Required
due_dateTask due date in ISO format e.g., "2020-02-02T19:00:00Z. Empty date indicates that the task has no assigned due date.Required
owner_idThe owner of the task (ID or name as appears in IBM QRadar SOAR). Leave empty if the task has no owner.Optional
phaseTask to be added to the IBM QRadar incident. Possible values are: Initial, Engage, Detect/Analyze, Respond, Post-Incident, Custom, Complete. Default is task.Required

Context Output#

There is no context output for this command.

rs-delete-task-members#


Delete a task's member. This effectively changes the task from a "private" task to a non-private task (to one where any incident member can operate on it).

Base Command#

rs-delete-task-members

Input#

Argument NameDescriptionRequired
task_idID of the task to delete its members.Required

Context Output#

There is no context output for this command.

rs-list-tasks#


Gets an array of open tasks to which the current user is assigned.

Base Command#

rs-list-tasks

Input#

There are no input arguments for this command.

Context Output#

PathTypeDescription
Resilient.TasksDictionaryList of open tasks.

rs-list-scripts#


Retrieves the specified script's information or a list of all organization's scripts.

Base Command#

rs-list-scripts

Input#

Argument NameDescriptionRequired
script_idInternal ID/name of the script.Optional

Context Output#

PathTypeDescription
Resilient.ScriptsDictionaryRetrieved script or list of scripts with metadata.

rs-delete-tasks#


Deletes a specified list of tasks. Note that only custom tasks can be deleted.

Base Command#

rs-delete-tasks

Input#

Argument NameDescriptionRequired
task_idsA comma-separated list of task IDs to be deleted.Required

Context Output#

There is no context output for this command.

rs-list-task-instructions#


Lists the task's instructions.

Base Command#

rs-list-task-instructions

Input#

Argument NameDescriptionRequired
task_idID of the task to list its instructions.Required

Context Output#

PathTypeDescription
Resilient.TaskDictionaryTask instructions.

rs-update-incident-note#


Updates an incident's note.

Base Command#

rs-update-incident-note

Input#

Argument NameDescriptionRequired
incident_idIncident ID to update its note.Required
note_idNote ID to update.Required
noteText of the note.Required

Context Output#

There is no context output for this command.

rs-upload-incident-attachment#


Upload an attachment for an incident.

Base Command#

rs-upload-incident-attachment

Input#

Argument NameDescriptionRequired
incident_idIncident ID to update.Required
entry_idEntryID of the file to upload.Required

Context Output#

There is no context output for this command.

rs-get-task-members#


Get the members of a task. Private tasks will have the returned "members" property set. Non-private tasks will have a null "members" property.

Base Command#

rs-get-task-members

Input#

Argument NameDescriptionRequired
task_idID of task to get its members.Required

Context Output#

PathTypeDescription
Resilient.TaskDictionaryTask members.

rs-get-attachment#


Gets incident attachment's name and contents as a file by its ID.

Base Command#

rs-get-attachment

Input#

Argument NameDescriptionRequired
incident_idIncident ID to get attachments from.Required
attachment_idAttachment ID to get.Required

Context Output#

There is no context output for this command.

rs-incidents-update-member#


Updates incident's members.

Base Command#

rs-incidents-update-member

Input#

Argument NameDescriptionRequired
incident-idID of the incident for which to update its members.Required
membersA comma-separated list of members to add, e.g., 1,2,3.Required

Context Output#

There is no context output for this command.