IBM QRadar SOAR

When we send an offense to Resilient, the "Owner" and "Created By" of the incident is "Rest API" (being the user that we generated for the integration).

Is it possible that the "Owner" and "Created By" are the same operator that sent the offense?

On the other hand, how could I send the "asset_name" field to generate a DNS type device with this data?

------------------------------
Juan Cruz Del Col
------------------------------

Is it possible that the "Owner" and "Created By" are the same operator that sent the offense?

Yes, and No. when using Resilient QRadar Integration App to escalate offense to an incident,  there are two ways. automatically or manually.
However, for automation escalation, the "created by" field always using API user(who you put in "Access tap" in Integration app). and for manual escalation, it required login information, the "Created by" is the user who login to Resilient,  and you can also specify the "owner" during creating an incident from an offense.

On the other hand, how could I send the "asset_name" field to generate a DNS type device with this data?

Yes,  but it required to create a customized template.

------------------------------
Yu Zhang
------------------------------

Original Message:
Sent: 01-30-2019 12:50 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

When we send an offense to Resilient, the "Owner" and "Created By" of the incident is "Rest API" (being the user that we generated for the integration).

Is it possible that the "Owner" and "Created By" are the same operator that sent the offense?

On the other hand, how could I send the "asset_name" field to generate a DNS type device with this data?

------------------------------
Juan Cruz Del Col
------------------------------

Yu Zhang, Thank you very much for the quick answer.

The scaling in my case is always "manual", I did not understand if I have to change or set both fields. Could you comment on how you would do it?

"asset_name", in my custom template where and how do I add that data?

------------------------------
Juan Cruz Del Col
------------------------------

Original Message:
Sent: 01-31-2019 03:09 PM
From: Yu Zhang
Subject: Integration Qradar

Is it possible that the "Owner" and "Created By" are the same operator that sent the offense?

Yes, and No. when using Resilient QRadar Integration App to escalate offense to an incident,  there are two ways. automatically or manually.
However, for automation escalation, the "created by" field always using API user(who you put in "Access tap" in Integration app). and for manual escalation, it required login information, the "Created by" is the user who login to Resilient,  and you can also specify the "owner" during creating an incident from an offense.

On the other hand, how could I send the "asset_name" field to generate a DNS type device with this data?

Yes,  but it required to create a customized template.

------------------------------
Yu Zhang

Original Message:
Sent: 01-30-2019 12:50 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

When we send an offense to Resilient, the "Owner" and "Created By" of the incident is "Rest API" (being the user that we generated for the integration).

Is it possible that the "Owner" and "Created By" are the same operator that sent the offense?

On the other hand, how could I send the "asset_name" field to generate a DNS type device with this data?

------------------------------
Juan Cruz Del Col
------------------------------

How could I send a custom field that is in the event within the offense I want to go to resilient?

Ej:
Offense ID 38029, contains 2 events. I select one of them and inside I have 3 fields "MWG_Dominio", "URL", "UrlHost",

How to create 3 "URL" artifacts with each field?

Within the template assign the fields, but I get an error:
juan.c.delcol@set.ypf.com/service.svc/s/GetFileAttachment?id=AAMkAGU1MWI1NmNhLWMyNTktNGQyZC05MDAzLWE1NTY3MTFmNzI0NQBGAAAAAAAIE6SMZrKhRY4%2FuZJFgAvqBwArwgXH7Fl5Q637QGv8PF2yAAAAAAEJAAArwgXH7Fl5Q637QGv8PF2yAAAAD37DAAABEgAQAJfVZ7XuTcBDuQ7XhYC8MpQ%3D&X-OWA-CANARY=j5dS_CMHsU2s7XI3ihVDgRprBuw2jdYI3CYXl9UgHoR9dmAvskK2jwtwmuKaf0vLo8UbddBIgJw." class="img-responsive" data-mce-hlimagekey="da9dd460-29db-eec0-73e9-1af927acee4c" data-mce-hlselector="#MainCopy_ctl02_TinyMCEEditor_TinyMCEContent" title="Template Artifacts" alt="" data-skipsetcontent="true">

------------------------------
Juan Cruz Del Col
------------------------------

Original Message:
Sent: 01-31-2019 03:19 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

Yu Zhang, Thank you very much for the quick answer.

The scaling in my case is always "manual", I did not understand if I have to change or set both fields. Could you comment on how you would do it?

"asset_name", in my custom template where and how do I add that data?

------------------------------
Juan Cruz Del Col

Original Message:
Sent: 01-31-2019 03:09 PM
From: Yu Zhang
Subject: Integration Qradar

Is it possible that the "Owner" and "Created By" are the same operator that sent the offense?

Yes, and No. when using Resilient QRadar Integration App to escalate offense to an incident,  there are two ways. automatically or manually.
However, for automation escalation, the "created by" field always using API user(who you put in "Access tap" in Integration app). and for manual escalation, it required login information, the "Created by" is the user who login to Resilient,  and you can also specify the "owner" during creating an incident from an offense.

On the other hand, how could I send the "asset_name" field to generate a DNS type device with this data?

Yes,  but it required to create a customized template.

------------------------------
Yu Zhang

Original Message:
Sent: 01-30-2019 12:50 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

When we send an offense to Resilient, the "Owner" and "Created By" of the incident is "Rest API" (being the user that we generated for the integration).

Is it possible that the "Owner" and "Created By" are the same operator that sent the offense?

On the other hand, how could I send the "asset_name" field to generate a DNS type device with this data?

------------------------------
Juan Cruz Del Col
------------------------------

The template only supports offense fields. The 3 fields "MWG_Dominio", "URL", "UrlHost" you listed are not offense fields so you can not add them to template directly.
You can use Qradar function (https://exchange.xforce.ibmcloud.com/hub/extension/a9bcc3eaebf2a6efc04258b4964a48a4) to search Qradar and query events, then add the returned data as artifacts.

------------------------------
LILY WANG
------------------------------

Original Message:
Sent: 02-07-2019 03:02 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

How could I send a custom field that is in the event within the offense I want to go to resilient?

Ej:
Offense ID 38029, contains 2 events. I select one of them and inside I have 3 fields "MWG_Dominio", "URL", "UrlHost",

How to create 3 "URL" artifacts with each field?

Within the template assign the fields, but I get an error:
juan.c.delcol@set.ypf.com/service.svc/s/GetFileAttachment?id=AAMkAGU1MWI1NmNhLWMyNTktNGQyZC05MDAzLWE1NTY3MTFmNzI0NQBGAAAAAAAIE6SMZrKhRY4%2FuZJFgAvqBwArwgXH7Fl5Q637QGv8PF2yAAAAAAEJAAArwgXH7Fl5Q637QGv8PF2yAAAAD37DAAABEgAQAJfVZ7XuTcBDuQ7XhYC8MpQ%3D&X-OWA-CANARY=j5dS_CMHsU2s7XI3ihVDgRprBuw2jdYI3CYXl9UgHoR9dmAvskK2jwtwmuKaf0vLo8UbddBIgJw." class="img-responsive" data-mce-hlimagekey="da9dd460-29db-eec0-73e9-1af927acee4c" data-mce-hlselector="#MainCopy_ctl02_TinyMCEEditor_TinyMCEContent" title="Template Artifacts" data-skipsetcontent="true">

------------------------------
Juan Cruz Del Col

Original Message:
Sent: 01-31-2019 03:19 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

Yu Zhang, Thank you very much for the quick answer.

The scaling in my case is always "manual", I did not understand if I have to change or set both fields. Could you comment on how you would do it?

"asset_name", in my custom template where and how do I add that data?

------------------------------
Juan Cruz Del Col

Original Message:
Sent: 01-31-2019 03:09 PM
From: Yu Zhang
Subject: Integration Qradar

Is it possible that the "Owner" and "Created By" are the same operator that sent the offense?

Yes, and No. when using Resilient QRadar Integration App to escalate offense to an incident,  there are two ways. automatically or manually.
However, for automation escalation, the "created by" field always using API user(who you put in "Access tap" in Integration app). and for manual escalation, it required login information, the "Created by" is the user who login to Resilient,  and you can also specify the "owner" during creating an incident from an offense.

On the other hand, how could I send the "asset_name" field to generate a DNS type device with this data?

Yes,  but it required to create a customized template.

------------------------------
Yu Zhang

Original Message:
Sent: 01-30-2019 12:50 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

When we send an offense to Resilient, the "Owner" and "Created By" of the incident is "Rest API" (being the user that we generated for the integration).

Is it possible that the "Owner" and "Created By" are the same operator that sent the offense?

On the other hand, how could I send the "asset_name" field to generate a DNS type device with this data?

------------------------------
Juan Cruz Del Col
------------------------------

Is it possible to limit when an operator escalates an offense to a Resilient incident, another operator can not resubmit the same incident for the same offense?

------------------------------
Juan Cruz Del Col
------------------------------

Original Message:
Sent: 02-07-2019 09:57 PM
From: LILY WANG
Subject: Integration Qradar

The template only supports offense fields. The 3 fields "MWG_Dominio", "URL", "UrlHost" you listed are not offense fields so you can not add them to template directly.
You can use Qradar function (https://exchange.xforce.ibmcloud.com/hub/extension/a9bcc3eaebf2a6efc04258b4964a48a4) to search Qradar and query events, then add the returned data as artifacts.

------------------------------
LILY WANG

Original Message:
Sent: 02-07-2019 03:02 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

How could I send a custom field that is in the event within the offense I want to go to resilient?

Ej:
Offense ID 38029, contains 2 events. I select one of them and inside I have 3 fields "MWG_Dominio", "URL", "UrlHost",

How to create 3 "URL" artifacts with each field?

Within the template assign the fields, but I get an error:
juan.c.delcol@set.ypf.com/service.svc/s/GetFileAttachment?id=AAMkAGU1MWI1NmNhLWMyNTktNGQyZC05MDAzLWE1NTY3MTFmNzI0NQBGAAAAAAAIE6SMZrKhRY4%2FuZJFgAvqBwArwgXH7Fl5Q637QGv8PF2yAAAAAAEJAAArwgXH7Fl5Q637QGv8PF2yAAAAD37DAAABEgAQAJfVZ7XuTcBDuQ7XhYC8MpQ%3D&X-OWA-CANARY=j5dS_CMHsU2s7XI3ihVDgRprBuw2jdYI3CYXl9UgHoR9dmAvskK2jwtwmuKaf0vLo8UbddBIgJw." class="img-responsive" data-mce-hlimagekey="da9dd460-29db-eec0-73e9-1af927acee4c" data-mce-hlselector="#MainCopy_ctl02_TinyMCEEditor_TinyMCEContent" title="Template Artifacts" data-skipsetcontent="true">

------------------------------
Juan Cruz Del Col

Original Message:
Sent: 01-31-2019 03:19 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

Yu Zhang, Thank you very much for the quick answer.

The scaling in my case is always "manual", I did not understand if I have to change or set both fields. Could you comment on how you would do it?

"asset_name", in my custom template where and how do I add that data?

------------------------------
Juan Cruz Del Col

Original Message:
Sent: 01-31-2019 03:09 PM
From: Yu Zhang
Subject: Integration Qradar

Is it possible that the "Owner" and "Created By" are the same operator that sent the offense?

Yes, and No. when using Resilient QRadar Integration App to escalate offense to an incident,  there are two ways. automatically or manually.
However, for automation escalation, the "created by" field always using API user(who you put in "Access tap" in Integration app). and for manual escalation, it required login information, the "Created by" is the user who login to Resilient,  and you can also specify the "owner" during creating an incident from an offense.

On the other hand, how could I send the "asset_name" field to generate a DNS type device with this data?

Yes,  but it required to create a customized template.

------------------------------
Yu Zhang

Original Message:
Sent: 01-30-2019 12:50 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

When we send an offense to Resilient, the "Owner" and "Created By" of the incident is "Rest API" (being the user that we generated for the integration).

Is it possible that the "Owner" and "Created By" are the same operator that sent the offense?

On the other hand, how could I send the "asset_name" field to generate a DNS type device with this data?

------------------------------
Juan Cruz Del Col
------------------------------

The integration process with check, if an offense has been escalated before it can not be escalated to a new incident again.

------------------------------
LILY WANG
------------------------------

Original Message:
Sent: 03-06-2019 10:29 AM
From: Juan Cruz Del Col
Subject: Integration Qradar

Is it possible to limit when an operator escalates an offense to a Resilient incident, another operator can not resubmit the same incident for the same offense?

------------------------------
Juan Cruz Del Col

Original Message:
Sent: 02-07-2019 09:57 PM
From: LILY WANG
Subject: Integration Qradar

The template only supports offense fields. The 3 fields "MWG_Dominio", "URL", "UrlHost" you listed are not offense fields so you can not add them to template directly.
You can use Qradar function (https://exchange.xforce.ibmcloud.com/hub/extension/a9bcc3eaebf2a6efc04258b4964a48a4) to search Qradar and query events, then add the returned data as artifacts.

------------------------------
LILY WANG

Original Message:
Sent: 02-07-2019 03:02 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

How could I send a custom field that is in the event within the offense I want to go to resilient?

Ej:
Offense ID 38029, contains 2 events. I select one of them and inside I have 3 fields "MWG_Dominio", "URL", "UrlHost",

How to create 3 "URL" artifacts with each field?

Within the template assign the fields, but I get an error:
juan.c.delcol@set.ypf.com/service.svc/s/GetFileAttachment?id=AAMkAGU1MWI1NmNhLWMyNTktNGQyZC05MDAzLWE1NTY3MTFmNzI0NQBGAAAAAAAIE6SMZrKhRY4%2FuZJFgAvqBwArwgXH7Fl5Q637QGv8PF2yAAAAAAEJAAArwgXH7Fl5Q637QGv8PF2yAAAAD37DAAABEgAQAJfVZ7XuTcBDuQ7XhYC8MpQ%3D&X-OWA-CANARY=j5dS_CMHsU2s7XI3ihVDgRprBuw2jdYI3CYXl9UgHoR9dmAvskK2jwtwmuKaf0vLo8UbddBIgJw." class="img-responsive" data-mce-hlimagekey="da9dd460-29db-eec0-73e9-1af927acee4c" data-mce-hlselector="#MainCopy_ctl02_TinyMCEEditor_TinyMCEContent" title="Template Artifacts" data-skipsetcontent="true">

------------------------------
Juan Cruz Del Col

Original Message:
Sent: 01-31-2019 03:19 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

Yu Zhang, Thank you very much for the quick answer.

The scaling in my case is always "manual", I did not understand if I have to change or set both fields. Could you comment on how you would do it?

"asset_name", in my custom template where and how do I add that data?

------------------------------
Juan Cruz Del Col

Original Message:
Sent: 01-31-2019 03:09 PM
From: Yu Zhang
Subject: Integration Qradar

Is it possible that the "Owner" and "Created By" are the same operator that sent the offense?

Yes, and No. when using Resilient QRadar Integration App to escalate offense to an incident,  there are two ways. automatically or manually.
However, for automation escalation, the "created by" field always using API user(who you put in "Access tap" in Integration app). and for manual escalation, it required login information, the "Created by" is the user who login to Resilient,  and you can also specify the "owner" during creating an incident from an offense.

On the other hand, how could I send the "asset_name" field to generate a DNS type device with this data?

Yes,  but it required to create a customized template.

------------------------------
Yu Zhang

Original Message:
Sent: 01-30-2019 12:50 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

When we send an offense to Resilient, the "Owner" and "Created By" of the incident is "Rest API" (being the user that we generated for the integration).

Is it possible that the "Owner" and "Created By" are the same operator that sent the offense?

On the other hand, how could I send the "asset_name" field to generate a DNS type device with this data?

------------------------------
Juan Cruz Del Col
------------------------------

Will it be possible to limit it?

There are many operators in the SOC and this usually happens.

------------------------------
Juan Cruz Del Col
------------------------------

Original Message:
Sent: 03-06-2019 05:13 PM
From: LILY WANG
Subject: Integration Qradar

The integration process with check, if an offense has been escalated before it can not be escalated to a new incident again.

------------------------------
LILY WANG

Original Message:
Sent: 03-06-2019 10:29 AM
From: Juan Cruz Del Col
Subject: Integration Qradar

Is it possible to limit when an operator escalates an offense to a Resilient incident, another operator can not resubmit the same incident for the same offense?

------------------------------
Juan Cruz Del Col

Original Message:
Sent: 02-07-2019 09:57 PM
From: LILY WANG
Subject: Integration Qradar

The template only supports offense fields. The 3 fields "MWG_Dominio", "URL", "UrlHost" you listed are not offense fields so you can not add them to template directly.
You can use Qradar function (https://exchange.xforce.ibmcloud.com/hub/extension/a9bcc3eaebf2a6efc04258b4964a48a4) to search Qradar and query events, then add the returned data as artifacts.

------------------------------
LILY WANG

Original Message:
Sent: 02-07-2019 03:02 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

How could I send a custom field that is in the event within the offense I want to go to resilient?

Ej:
Offense ID 38029, contains 2 events. I select one of them and inside I have 3 fields "MWG_Dominio", "URL", "UrlHost",

How to create 3 "URL" artifacts with each field?

Within the template assign the fields, but I get an error:
juan.c.delcol@set.ypf.com/service.svc/s/GetFileAttachment?id=AAMkAGU1MWI1NmNhLWMyNTktNGQyZC05MDAzLWE1NTY3MTFmNzI0NQBGAAAAAAAIE6SMZrKhRY4%2FuZJFgAvqBwArwgXH7Fl5Q637QGv8PF2yAAAAAAEJAAArwgXH7Fl5Q637QGv8PF2yAAAAD37DAAABEgAQAJfVZ7XuTcBDuQ7XhYC8MpQ%3D&X-OWA-CANARY=j5dS_CMHsU2s7XI3ihVDgRprBuw2jdYI3CYXl9UgHoR9dmAvskK2jwtwmuKaf0vLo8UbddBIgJw." class="img-responsive" data-mce-hlimagekey="da9dd460-29db-eec0-73e9-1af927acee4c" data-mce-hlselector="#MainCopy_ctl02_TinyMCEEditor_TinyMCEContent" title="Template Artifacts" data-skipsetcontent="true">

------------------------------
Juan Cruz Del Col

Original Message:
Sent: 01-31-2019 03:19 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

Yu Zhang, Thank you very much for the quick answer.

The scaling in my case is always "manual", I did not understand if I have to change or set both fields. Could you comment on how you would do it?

"asset_name", in my custom template where and how do I add that data?

------------------------------
Juan Cruz Del Col

Original Message:
Sent: 01-31-2019 03:09 PM
From: Yu Zhang
Subject: Integration Qradar

Is it possible that the "Owner" and "Created By" are the same operator that sent the offense?

Yes, and No. when using Resilient QRadar Integration App to escalate offense to an incident,  there are two ways. automatically or manually.
However, for automation escalation, the "created by" field always using API user(who you put in "Access tap" in Integration app). and for manual escalation, it required login information, the "Created by" is the user who login to Resilient,  and you can also specify the "owner" during creating an incident from an offense.

On the other hand, how could I send the "asset_name" field to generate a DNS type device with this data?

Yes,  but it required to create a customized template.

------------------------------
Yu Zhang

Original Message:
Sent: 01-30-2019 12:50 PM
From: Juan Cruz Del Col
Subject: Integration Qradar

When we send an offense to Resilient, the "Owner" and "Created By" of the incident is "Rest API" (being the user that we generated for the integration).

Is it possible that the "Owner" and "Created By" are the same operator that sent the offense?

On the other hand, how could I send the "asset_name" field to generate a DNS type device with this data?

------------------------------
Juan Cruz Del Col
------------------------------