IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  QRadar to Pagerduty integration

    Posted Thu June 22, 2023 05:43 AM
    Edited by Jeffrey Francisco Thu June 22, 2023 05:47 AM

    Hi,

    Would like to send Qradar alerts to PagerDuty via API, is it true that this would only work if we have SOAR plugin?

    Thanks,
    Jeffrey



  • 2.  RE: QRadar to Pagerduty integration

    Posted Thu June 22, 2023 12:37 PM

    As far as I know the only application on the IBM X-Force App Hub is for QRadar SOAR. That being said, you could add similar functionality to QRadar with a custom action script as a rule response. Custom actions are available on each managed host to run a script (bash, python, or perl) in a jail shell that could take the offense info and push it over to PagerDuty's API. QRadar does not offer this app integration currently and it appears that SOAR has a few apps to do communications.

    The purpose of custom actions is to shell off commands from interacting with QRadar and have scripts that can leverage APIs when rule conditions are met. For example, you want to pass a username, offenseID, or other information you can do so. There is some info with an example here from the QRadar Docs, but it is not specific to PagerDuty. 


    I'm going to send a link to this discussion over to the team that works on apps with Business Partners. I checked to see if there were any ideas logged for PagerDuty integration, but I didn't find anything on IBM Ideas.



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------

    Original Message


  • 3.  RE: QRadar to Pagerduty integration

    Posted Sun July 02, 2023 10:01 PM

    Thank Jonathan for the suggestion. We've decided to take a different route now. We're planning to push the QRadar offense to AWS SNS instead. 

    Do you know if there's a way to run/execute a script to take the offense details (when a new offense is generated) and push it to SNS and not via QRadar SOAR?

    Thanks,

    Jeffrey



    ------------------------------
    Jeffrey Francisco
    ------------------------------

    Original Message


  • 4.  RE: QRadar to Pagerduty integration

    Posted Thu April 17, 2025 05:56 PM
    Edited by Paul Goffar Thu April 17, 2025 05:57 PM

    Hey Jonathan,

    Digging into this so I thought i would resurrect the thread.  The bridge to push is very simple of course but the challenge of pulling dynamic properties without the ability to use functions or nested properties (like AQL or Jinja in custom email templates) is proving to be a huge pain in the neck lol.  I've been able to map QRadar priority to PagerDuty priority using a simple scoring in bash and that all seems fine but I also want to pull dynamic properties from the event that triggered the rule which would make my request look more like the one shown below.  This should be super easy but for some reason, I can't figure out how to pull the Event Name and Event Description from the custom actions UI fields. None of the expected parameters hold this and as I mentioned, I can't do QIDNAME(qid) or anything like that lol. If anyone has any idea, I'd love to hear it!  (full sample here)

    '{
  "payload": {
      "summary": "QRadar ${priority_label} Escalation: ${QIDName} at ${SourceIP}",
      "severity": "critical",
      "source": "$logSource"
          "custom_details": {
                "Description": "$eventDescription",
                "Username": "$username",
                "Source IP": "$sourceIP"
      },
  "routing_key": "****YOUR API KEY****",
  "event_action": "trigger"
}'



    ------------------------------
    Paul
    ------------------------------

    Original Message