Hello,

I try to populate my external ticketing tool with many properties, by a custom action script which is launched as Rule Response of my Event Rule.

Basic properties are ok, like Src IP/Port, Dst IP/Port.
But I try to get Rule Name and Rule Description that has triggerred, but it seems not to be part of the pre-defined properties that you can pass to custom action script :(

In addition, my rule response expect to contribute to an offense, and I would like to get Offense ID, Name.
This part would not be easy because when my rule response (and my custom script) is executed, the offense is not created yet.

Nowadays, my custom action script curl a complex AQL query against QRadar API as POST on Ariel DB, with where conditions on : ip, ports, starttime is > as event starttime, and logsource is CRE to get properties of the dispatched new event by rule response.
The result is good, but I don't like its accuracy because there is no "key" value to be sure it's good CRE Event.
For example if I have multiple CRE Events involving same src/dst, on different rules, at about same time.

About offenses, my idea is to get the curent ID, add 1, and pass the result to my external app. But from my point of view it's very bad because another offense can be created in the meantime, or my event can be part of an existing offense.....
As the contribution to offense could take up to 2 minutes, and cannot wait and search because custom action scripts are stopped after 7 seconds.

Any help would be appreciated :)

Thanks,
Clement