IBM QRadar

Hi all,

I have a project where for any new offense generated I hope to extract the offense details and send them to an external alerting system. Unfortunately, I am unable to use "Forwarding Destinations" for this because I can only send details via the external alerting system's API. So instead, I thought I would use a custom action script.

I am hoping to create a rule where for any events coming in, I check if it's linked to an active offense and then pass information to a custom action script (using event rules as I know it's not possible to use custom action scripts through offense rules). I have this rule setup and it appears to be working.

However, I was hoping to pass the active offense ID through to the custom action script. But I'm unsure on how to get this information and it doesn't look to be in the "Network Event Property" list.

Any help is appreciated.

Thanks,

Iqra

Iqra

I will try to set this strait:

part1 you say "I have a project where for any new offense generated I hope to extract the offense details and send them to an external alerting system. Unfortunately, I am unable to use "Forwarding Destinations" for this because I can only send details via the external alerting system's API. So instead, I thought I would use a custom action script."

I dont get this. Standard alert rule will have these details, "forwarding destinations" included

Offense CRE Rule #117878, "P4B: offense ticket" fired.
Rule Notes
Offense #1850
Start Time: Sun Jun 04 05:36:19 CEST 2023
Magnitude: 6, Relevance 5, Severity: 9, Credibility 3
Description: Microsoft Windows RCE Vulnerability - Suspicious IPs
Event count for this offense: 1
Flow count for this offense: 0
         in 1 categories

Offense Source Summary
Source: 185.220.101.182
Location: Germany
User: N/A
Mac: N/A
Destination IP: 10.20.100.249
Host: tor-exit-182.relayon.org.
Asset Name: tor-exit-182.relayon.org.
Offenses: 1
Events/Flows: 1

Top 5 Source IPs:
(Description, Magnitude, Location, User)
- 185.220.101.182, 0, Germany, Unknown

Top 5 Destination IPs:
(Description, Magnitude, Location, User)
- 10.20.100.249 (P4B-View-Sec-Gateway), 0, P4B.CorporateNetwork.DMZ, Unknown
- 10.20.100.249 (P4B-View-Sec-Gateway), 0, P4B.CorporateNetwork.DMZ, Unknown
- 10.20.100.249 (P4B-View-Sec-Gateway), 0, P4B.CorporateNetwork.DMZ, Unknown
- 10.20.100.249 (P4B-View-Sec-Gateway), 0, P4B.CorporateNetwork.DMZ, Unknown
- 10.20.100.249 (P4B-View-Sec-Gateway), 0, P4B.CorporateNetwork.DMZ, Unknown

Top 5 Log Sources:
- Custom Rule Engine-8 :: vqradar

Top 5 Users:
Top 5 Categories:
(Name, Magnitude, Local Destination Count, Event/Flow Count)
- Remote Access Exploit, 10, 1, 1

Top 5 Annotations:
- 12000: "CRE Event".  CRE Rule description:  [Microsoft Windows RCE Vulnerability - Suspicious IPs] Detects when RCE IPs are seen.
- 12001: [Microsoft Windows RCE Vulnerability - Suspicious IPs] "Offense Renamed".  This offense has been renamed to "Microsoft Windows RCE Vulnerability - Suspicious IPs" by user request, based on an Event Rule that has fired.  Typically this is done because a particular sequence of recognizable and important security events has been detected, and the offense has been named accordingly.

Contributing CRE Rules:
- Microsoft Windows RCE Vulnerability - Suspicious IPs

So a standard offense email rule will get verything transported you need. Part2 you utter "I am hoping to create a rule where for any events coming in, I check if it's linked to an active offense and then pass information to a custom action script (using event rules as I know it's not possible to use custom action scripts through offense rules). I have this rule setup and it appears to be working." Big misunderstanding. The fact that custom action scripts cant be run in offense rules should not lead you trying to check all events for being offense related. Thats fine for a detailed search but not for custom scripts. It will kill your system BTW even if it seems to work

Part3 of your question you say "However, I was hoping to pass the active offense ID through to the custom action script. But I'm unsure on how to get this information and it doesn't look to be in the "Network Event Property" list." Here you need to know that offense IDs are being created after the event rule tests have been executed and fired an offense. So the only way to catch that via custom action script is after the offense has been created and linked back to the events that have been flagged.

Rhe new QRadar suite gives much more flexibilty in forwarding offenses to external systems, where offense forwarder app is just one of them. Have a look at the demo video at https://www.ibm.com/products/qradar-soar?utm_content=SRCWW&p1=Search&p4=43700075239476255&p5=e&gclid=Cj0KCQiA2eKtBhDcARIsAEGTG42yI2ElsKtNixx_NH6PLlq5XS1ge5DWYRmR6_drk7nW5z7koElVNSkaAu6KEALw_wcB&gclsrc=aw.ds

BR Karl

Hi all,

I have a project where for any new offense generated I hope to extract the offense details and send them to an external alerting system. Unfortunately, I am unable to use "Forwarding Destinations" for this because I can only send details via the external alerting system's API. So instead, I thought I would use a custom action script.

I am hoping to create a rule where for any events coming in, I check if it's linked to an active offense and then pass information to a custom action script (using event rules as I know it's not possible to use custom action scripts through offense rules). I have this rule setup and it appears to be working.

However, I was hoping to pass the active offense ID through to the custom action script. But I'm unsure on how to get this information and it doesn't look to be in the "Network Event Property" list.

Any help is appreciated.

Thanks,

Iqra