• How can I send offenses from IBM QRadar to Shuffle SOAR using webhook/push methods only when an offense is created, updated, or closed?
• Since Offense Rules do not support running custom action scripts, what is the recommended way to trigger outbound communication for offense lifecycle events?
• In Event Rules, the offense_id is not directly available-so how can I reliably correlate events and retrieve the correct offense ID before sending data to Shuffle?
• What is the best approach to track offense updates and closure status in near real-time and push those changes externally?
• For data ingestion into Shuffle SOAR, should i stream every event/flow in real time or Send batched data but cant access through api from shuffle?
• Basically What is the recommended architecture/mechanism in QRadar to support this integration efficiently?

Hello,

You could actually reference SIM Audit events for all of these activities in your custom rules. These events do contain Offense ID, though it may have to be extracted from the payload (of that I'm not entirely certain).

You still have to query additional information via API if your usecase is related to case management on some platform. If it just for notification, like pushing a message to Slack on offense creation, then the info in the payload of these events should be pretty sufficient.

Regards,

Mykhailo

• How can I send offenses from IBM QRadar to Shuffle SOAR using webhook/push methods only when an offense is created, updated, or closed?
• Since Offense Rules do not support running custom action scripts, what is the recommended way to trigger outbound communication for offense lifecycle events?
• In Event Rules, the offense_id is not directly available-so how can I reliably correlate events and retrieve the correct offense ID before sending data to Shuffle?
• What is the best approach to track offense updates and closure status in near real-time and push those changes externally?
• For data ingestion into Shuffle SOAR, should i stream every event/flow in real time or Send batched data but cant access through api from shuffle?
• Basically What is the recommended architecture/mechanism in QRadar to support this integration efficiently?

Exactly. Logs are coming under SIM User Action low level category. QIDs should be:

28250369 = Offense created    

28250021 = Offense closed  

28250180 = Offense Assigned  

28250151 = Note Added 

From what I recall, payload of 28250369 (Offense created) contains information such as Offense ID, Offense type, Direction, contributing rule ID. I think the source IP in the events other than "Offense created" should indicate the IP of the actor. 

Hello,

You could actually reference SIM Audit events for all of these activities in your custom rules. These events do contain Offense ID, though it may have to be extracted from the payload (of that I'm not entirely certain).

You still have to query additional information via API if your usecase is related to case management on some platform. If it just for notification, like pushing a message to Slack on offense creation, then the info in the payload of these events should be pretty sufficient.

Regards,

Mykhailo

• How can I send offenses from IBM QRadar to Shuffle SOAR using webhook/push methods only when an offense is created, updated, or closed?
• Since Offense Rules do not support running custom action scripts, what is the recommended way to trigger outbound communication for offense lifecycle events?
• In Event Rules, the offense_id is not directly available-so how can I reliably correlate events and retrieve the correct offense ID before sending data to Shuffle?
• What is the best approach to track offense updates and closure status in near real-time and push those changes externally?
• For data ingestion into Shuffle SOAR, should i stream every event/flow in real time or Send batched data but cant access through api from shuffle?
• Basically What is the recommended architecture/mechanism in QRadar to support this integration efficiently?

But in that case how to deal when the logs that are being added to an existing offense i think there's no qid for that.

Exactly. Logs are coming under SIM User Action low level category. QIDs should be:

28250369 = Offense created    

28250021 = Offense closed  

28250180 = Offense Assigned  

28250151 = Note Added 

From what I recall, payload of 28250369 (Offense created) contains information such as Offense ID, Offense type, Direction, contributing rule ID. I think the source IP in the events other than "Offense created" should indicate the IP of the actor. 

Hello,

You could actually reference SIM Audit events for all of these activities in your custom rules. These events do contain Offense ID, though it may have to be extracted from the payload (of that I'm not entirely certain).

You still have to query additional information via API if your usecase is related to case management on some platform. If it just for notification, like pushing a message to Slack on offense creation, then the info in the payload of these events should be pretty sufficient.

Regards,

Mykhailo

• How can I send offenses from IBM QRadar to Shuffle SOAR using webhook/push methods only when an offense is created, updated, or closed?
• Since Offense Rules do not support running custom action scripts, what is the recommended way to trigger outbound communication for offense lifecycle events?
• In Event Rules, the offense_id is not directly available-so how can I reliably correlate events and retrieve the correct offense ID before sending data to Shuffle?
• What is the best approach to track offense updates and closure status in near real-time and push those changes externally?
• For data ingestion into Shuffle SOAR, should i stream every event/flow in real time or Send batched data but cant access through api from shuffle?
• Basically What is the recommended architecture/mechanism in QRadar to support this integration efficiently?

Indeed, I'm not sure you can achieve it just by relying on some QID as it would be suboptimal on QRadar side to spit out a SIM Audit event each time a new event or flow has been added to an offense.

As far as I remember Shuffle has a datastore cache where you can save custom values to be used across workflows runs, so it could be used to hold a list of tracked offenses. You can just populate this list with offense IDs during offense creation and kick off data sync with another workflow having scheduled trigger. This said workflow would run every n-th minutes, pull offense data by id, check if event/flow count has changed, pull new events/flows via QRadar API and do all the necessary actions you intend it to do with this data.

Also I guess that you have to delete the offense ID from the cached list when the offense is closed on QRadar. Otherwise your scheduled sync workflow would run unnecessary workload.

But in that case how to deal when the logs that are being added to an existing offense i think there's no qid for that.

Exactly. Logs are coming under SIM User Action low level category. QIDs should be:

28250369 = Offense created    

28250021 = Offense closed  

28250180 = Offense Assigned  

28250151 = Note Added 

From what I recall, payload of 28250369 (Offense created) contains information such as Offense ID, Offense type, Direction, contributing rule ID. I think the source IP in the events other than "Offense created" should indicate the IP of the actor. 

Hello,

You could actually reference SIM Audit events for all of these activities in your custom rules. These events do contain Offense ID, though it may have to be extracted from the payload (of that I'm not entirely certain).

You still have to query additional information via API if your usecase is related to case management on some platform. If it just for notification, like pushing a message to Slack on offense creation, then the info in the payload of these events should be pretty sufficient.

Regards,

Mykhailo

• How can I send offenses from IBM QRadar to Shuffle SOAR using webhook/push methods only when an offense is created, updated, or closed?
• Since Offense Rules do not support running custom action scripts, what is the recommended way to trigger outbound communication for offense lifecycle events?
• In Event Rules, the offense_id is not directly available-so how can I reliably correlate events and retrieve the correct offense ID before sending data to Shuffle?
• What is the best approach to track offense updates and closure status in near real-time and push those changes externally?
• For data ingestion into Shuffle SOAR, should i stream every event/flow in real time or Send batched data but cant access through api from shuffle?
• Basically What is the recommended architecture/mechanism in QRadar to support this integration efficiently?

Can it be a workaround that whenever an event rule runs being part of an offense we search for its offense id using the events parameters and send along the event parameters and offenseid on webhook. but the event rule seem to be providing null values to the script like source ip dest ip username devicetime etc are all coming in null from event rule to the custom action what could be the problem for that?

Indeed, I'm not sure you can achieve it just by relying on some QID as it would be suboptimal on QRadar side to spit out a SIM Audit event each time a new event or flow has been added to an offense.

As far as I remember Shuffle has a datastore cache where you can save custom values to be used across workflows runs, so it could be used to hold a list of tracked offenses. You can just populate this list with offense IDs during offense creation and kick off data sync with another workflow having scheduled trigger. This said workflow would run every n-th minutes, pull offense data by id, check if event/flow count has changed, pull new events/flows via QRadar API and do all the necessary actions you intend it to do with this data.

Also I guess that you have to delete the offense ID from the cached list when the offense is closed on QRadar. Otherwise your scheduled sync workflow would run unnecessary workload.

But in that case how to deal when the logs that are being added to an existing offense i think there's no qid for that.

Exactly. Logs are coming under SIM User Action low level category. QIDs should be:

28250369 = Offense created    

28250021 = Offense closed  

28250180 = Offense Assigned  

28250151 = Note Added 

From what I recall, payload of 28250369 (Offense created) contains information such as Offense ID, Offense type, Direction, contributing rule ID. I think the source IP in the events other than "Offense created" should indicate the IP of the actor. 

Hello,

You could actually reference SIM Audit events for all of these activities in your custom rules. These events do contain Offense ID, though it may have to be extracted from the payload (of that I'm not entirely certain).

You still have to query additional information via API if your usecase is related to case management on some platform. If it just for notification, like pushing a message to Slack on offense creation, then the info in the payload of these events should be pretty sufficient.

Regards,

Mykhailo

• How can I send offenses from IBM QRadar to Shuffle SOAR using webhook/push methods only when an offense is created, updated, or closed?
• Since Offense Rules do not support running custom action scripts, what is the recommended way to trigger outbound communication for offense lifecycle events?
• In Event Rules, the offense_id is not directly available-so how can I reliably correlate events and retrieve the correct offense ID before sending data to Shuffle?
• What is the best approach to track offense updates and closure status in near real-time and push those changes externally?
• For data ingestion into Shuffle SOAR, should i stream every event/flow in real time or Send batched data but cant access through api from shuffle?
• Basically What is the recommended architecture/mechanism in QRadar to support this integration efficiently?

Can it be a workaround that whenever an event rule runs being part of an offense we search for its offense id using the events parameters and send along the event parameters and offenseid on webhook. but the event rule seem to be providing null values to the script like source ip dest ip username devicetime etc are all coming in null from event rule to the custom action what could be the problem for that?

------------------------------
najam ul haq

Original Message:
Sent: Thu March 26, 2026 02:20 AM
From: Mykhailo Honcharov
Subject: QRadar → Shuffle SOAR Integration

Indeed, I'm not sure you can achieve it just by relying on some QID as it would be suboptimal on QRadar side to spit out a SIM Audit event each time a new event or flow has been added to an offense.

As far as I remember Shuffle has a datastore cache where you can save custom values to be used across workflows runs, so it could be used to hold a list of tracked offenses. You can just populate this list with offense IDs during offense creation and kick off data sync with another workflow having scheduled trigger. This said workflow would run every n-th minutes, pull offense data by id, check if event/flow count has changed, pull new events/flows via QRadar API and do all the necessary actions you intend it to do with this data.

Also I guess that you have to delete the offense ID from the cached list when the offense is closed on QRadar. Otherwise your scheduled sync workflow would run unnecessary workload.

------------------------------
Mykhailo Honcharov

Original Message:
Sent: Wed March 25, 2026 07:44 AM
From: najam ul haq
Subject: QRadar → Shuffle SOAR Integration

But in that case how to deal when the logs that are being added to an existing offense i think there's no qid for that.

------------------------------
najam ul haq

Original Message:
Sent: Wed March 25, 2026 04:01 AM
From: Dusan VIDOVIC
Subject: QRadar → Shuffle SOAR Integration

Exactly. Logs are coming under SIM User Action low level category. QIDs should be:

28250369 = Offense created    

28250021 = Offense closed  

28250180 = Offense Assigned  

28250151 = Note Added 

From what I recall, payload of 28250369 (Offense created) contains information such as Offense ID, Offense type, Direction, contributing rule ID. I think the source IP in the events other than "Offense created" should indicate the IP of the actor. 

------------------------------
Dusan VIDOVIC

Original Message:
Sent: Wed March 25, 2026 01:58 AM
From: Mykhailo Honcharov
Subject: QRadar → Shuffle SOAR Integration

Hello,

You could actually reference SIM Audit events for all of these activities in your custom rules. These events do contain Offense ID, though it may have to be extracted from the payload (of that I'm not entirely certain).

You still have to query additional information via API if your usecase is related to case management on some platform. If it just for notification, like pushing a message to Slack on offense creation, then the info in the payload of these events should be pretty sufficient.

Regards,

Mykhailo

------------------------------
Mykhailo Honcharov

Original Message:
Sent: Tue March 24, 2026 03:08 AM
From: najam ul haq
Subject: QRadar → Shuffle SOAR Integration

• How can I send offenses from IBM QRadar to Shuffle SOAR using webhook/push methods only when an offense is created, updated, or closed?
• Since Offense Rules do not support running custom action scripts, what is the recommended way to trigger outbound communication for offense lifecycle events?
• In Event Rules, the offense_id is not directly available-so how can I reliably correlate events and retrieve the correct offense ID before sending data to Shuffle?
• What is the best approach to track offense updates and closure status in near real-time and push those changes externally?
• For data ingestion into Shuffle SOAR, should i stream every event/flow in real time or Send batched data but cant access through api from shuffle?
• Basically What is the recommended architecture/mechanism in QRadar to support this integration efficiently?

------------------------------
najam ul haq
------------------------------