Does anyone have a way to get all the rules that were triggered from an offense?

We are trying to be able to use this for our SOAR platform but I'm struggling finding a clean way to get all the rule for an offense. INOFFENSE() seems like a good way to start but that returns events.

So would I want to parse all the events from the offense for rules and their names? Or is there a simpler way to get what rule triggered an offense? (I want the data that the display drop down :: Rules selection gives you)

Thanks

------------------------------
Richard Giesige
Security Engineer
Oshkosh Corporation
------------------------------

Hi Richard,

If you're looking to programmatically access the list of rules that contributed to an offense (which is how I'm interpreting the question, since you already know how to find this in the UI), you can use the Offenses API, at the /siem/offenses/ or /siem/offenses/{offense_id} endpoints. If you're not familiar with our REST APIs, you can access the interactive API doc page at https://<your QRadar console IP>/api_doc, it's a great way to see what APIs are available and actually issue requests, play with the filtering syntax, get sample curl commands so you can write scripting around the APIs, and so on.

The offense resource returned by the API has a "rules" field which is a list of objects containing a rule id and a rule type (building block vs full rule vs ADE rule) so you could use this to get the list of rules that contributed to an offense, then using those IDs, either issue an AQL search to get the events linked to that rule, or hit the rules or building block APIs (/analytics/rules/ and /analytics/building_blocks/) to get additional information about those contributing rules.

If I misunderstood what you're trying to do let me know and I'll see if I can provide a better answer.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security
------------------------------

Original Message:
Sent: Wed April 29, 2020 11:02 PM
From: Richard Giesige
Subject: AQL for getting all rules that were in an offense.

Does anyone have a way to get all the rules that were triggered from an offense?

We are trying to be able to use this for our SOAR platform but I'm struggling finding a clean way to get all the rule for an offense. INOFFENSE() seems like a good way to start but that returns events.

So would I want to parse all the events from the offense for rules and their names? Or is there a simpler way to get what rule triggered an offense? (I want the data that the display drop down :: Rules selection gives you)

Thanks

------------------------------
Richard Giesige
Security Engineer
Oshkosh Corporation
------------------------------

Colin,

Thanks for the response I am familiar with the API. I didn't know that the seim/offense returned the matching rules. So I will use that to make the initial request and follow up with the other endpoints to get the required information.

If I have follow up I'll post it here later, but you have solved my initial question.

That is great and thanks for providing the quick feedback. 

------------------------------
Richard Giesige
Security Engineer
Oshkosh Corporation
Oshkosh
------------------------------

Original Message:
Sent: Thu April 30, 2020 01:33 PM
From: COLIN HAY
Subject: AQL for getting all rules that were in an offense.

Hi Richard,

If you're looking to programmatically access the list of rules that contributed to an offense (which is how I'm interpreting the question, since you already know how to find this in the UI), you can use the Offenses API, at the /siem/offenses/ or /siem/offenses/{offense_id} endpoints. If you're not familiar with our REST APIs, you can access the interactive API doc page at https://<your QRadar console IP>/api_doc, it's a great way to see what APIs are available and actually issue requests, play with the filtering syntax, get sample curl commands so you can write scripting around the APIs, and so on.

The offense resource returned by the API has a "rules" field which is a list of objects containing a rule id and a rule type (building block vs full rule vs ADE rule) so you could use this to get the list of rules that contributed to an offense, then using those IDs, either issue an AQL search to get the events linked to that rule, or hit the rules or building block APIs (/analytics/rules/ and /analytics/building_blocks/) to get additional information about those contributing rules.

If I misunderstood what you're trying to do let me know and I'll see if I can provide a better answer.

Cheers
Colin

------------------------------
COLIN HAY
IBM Security

Original Message:
Sent: Wed April 29, 2020 11:02 PM
From: Richard Giesige
Subject: AQL for getting all rules that were in an offense.

Does anyone have a way to get all the rules that were triggered from an offense?

We are trying to be able to use this for our SOAR platform but I'm struggling finding a clean way to get all the rule for an offense. INOFFENSE() seems like a good way to start but that returns events.

So would I want to parse all the events from the offense for rules and their names? Or is there a simpler way to get what rule triggered an offense? (I want the data that the display drop down :: Rules selection gives you)

Thanks

------------------------------
Richard Giesige
Security Engineer
Oshkosh Corporation
------------------------------