Hello community,
How you deal with data sync from Qradar to IBM SOAR regarding Offense assignee to SOAR case owner? Systems are using different usernames. SIEM is using username while SOAR email name.
What I tried and found:
1. Change login user file in LDAP integration. Qradar does not allow to use email name for login.
2. Change assignee value in offense escalation configuration. Also does not work as you can only play with data that is in offense.
3. SOAR playbook with LDAP integration APP that gets user email from LDAP using username. Looks logical but in my MSSP configuration I would need to configure about 200 apps for each SOAR organization.
In my case I would like to pass that data to JIRA too. But JIRA needs email address name.
Has any of you faced same issue and come up with solution? I am happy to hear any ideas.
Have a nice day.