Troubleshooting
Problem
Artifacts might not be created because the artifact value is not correct for the artifact type.
Symptom
Warnings such as this might appear causing scripts and thus playbooks or workflows to fail.
An error occurred while processing the action acknowledgement. Additional information: Unable to run Script 'entities post-process' from Playbook 'Sentinel Incident Sync' due to the following errors: The Script is unable to update the Incident 'Sentinel Incident 123456 - Microsoft Defender Threat Intelligence Analytics' because: The value for the artifact type URL is invalid: www.domain.com.
Cause
Many default or "built-in" artifact types use regex to check that the value of the artifact is correct and inline with other artifacts created for that artifact type.
Trying to create an artifact with a value that does not match the regex will return "The value for the artifact type <NAME> is invalid."
Diagnosing The Problem
For QRadar SOAR, you can use the interactive API (Help/Contact -> Interactive REST API -> OrgIncidentArtifactTypeREST -> GET /orgs/{org_id}/artifact_types -> Execute) to return the regex for that artifact type.
In this example, URL, requires a protocol to be present which is not the case with www.domain.com.
{
"id": 3,
"name": "URL",
"desc": "Suspicious URL",
"reg_exp": "(http|https|file|gopher|ftp):\\/\\/[^\\s]+",
"split_on": "\r?\n|\\s",
"programmatic_name": "URL",
"uuid": "ee907a44-acbc-4769-83f3-f1f4097b74c2",
"parse_as_csv": false,
"use_for_relationships": true,
"enabled": true,
"version": 1,
"tags": [],
"default_scan_option": "on",
"file": false,
"multi_aware": true,
"system": true
},
Resolving The Problem
Review the script, in this case, and make changes so that another appropriate artifact type is used.
Custom artifact types do not validate values like built-in artifact types.
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEGM63","label":"IBM Security QRadar SOAR on Cloud"},"ARM Category":[{"code":"a8m0z000000cvuvAAA","label":"Integrations->API"}],"ARM Case Number":"TS015406151","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z000000cvuvAAA","label":"Integrations->API"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSL2BV","label":"IBM Security QRadar Suite - SOAR"},"ARM Category":[{"code":"a8m0z000000cvuvAAA","label":"Integrations->API"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
13 February 2024
UID
ibm17116832