IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Regarding IBM QRadar Event Payload from Offense Events

    Posted Tue January 16, 2024 11:46 AM

    Hi all

    We have successfully integrated QRadar with IBM SOAR, and everything seems to be in order. However, we are now looking to extract the QRadar event payload from offense events. This information is crucial for some of our automation activities.

    I wanted to inquire if it is possible to fetch the payload from QRadar events directly. Your insights and suggestions on this matter would be highly valuable and will significantly aid us in optimising our automation processes.

    Thanks,



    ------------------------------
    Bhagyesh Limbad
    ------------------------------


  • 2.  RE: Regarding IBM QRadar Event Payload from Offense Events

    Posted Wed January 17, 2024 02:28 AM

    Hi Bhagyesh,

    The Enhanced Data Migration function on the App Exchange provides similar data. A code snippet is available here -> https://github.com/ibmresilient/resilient-community-apps/blob/main/fn_qradar_enhanced_data/fn_qradar_enhanced_data/components/qradar_top_events.py

    SOAR does not do this for you without a function. You could create your own function, you could use one of the functions from the App Exchange such as the API related one and alter it for your your own use. 



    ------------------------------
    BEN WILLIAMS
    ------------------------------

    Original Message


  • 3.  RE: Regarding IBM QRadar Event Payload from Offense Events

    Posted Thu January 18, 2024 03:55 PM

    Hi Bhagyesh , you can use QRadar SIEM Functions for SOAR from here : https://exchange.xforce.ibmcloud.com/hub/extension/a9bcc3eaebf2a6efc04258b4964a48a4

    On that package you need to use qradar_search function, 

    Here is an example of what you would like to do on the code:

    AQL search to grab the data (try it first on your QRadar):
    SELECT DOMAINNAME(domainID), domainID,QIDNAME(qid),LOGSOURCENAME(logSourceId), sourceaddress, destinationaddress, startTime, CATEGORYNAME(category), "SHA256 Hash" , UTF8(payload) FROM events WHERE INOFFENSE('1') ORDER BY startTime ASC LIMIT 10 START 1705586735124 STOP 1705586735125

    The script on the qradar_search should look like:

    offense = incident.properties.qradar_id
    query = "SELECT DOMAINNAME(domainID), domainID,QIDNAME(qid),LOGSOURCENAME(logSourceId), sourceaddress, destinationaddress, startTime, CATEGORYNAME(category), \"SHA256 Hash\" , UTF8(payload) \
     FROM events WHERE INOFFENSE("+ offense +") ORDER BY startTime ASC LIMIT 10 START " + str(start_time)  + " STOP " + str(stop_time)
    inputs.qradar_query = query

    You need to get start_time and stop_time from the offense/incident with your code.

    Attributes are just as examples the only thing you really need it's UTF8(payload) to grab de payload

    Hope it does help



    ------------------------------
    Juan Paulo
    IBM
    Santiago
    ------------------------------

    Original Message


Related Content