IBM Security QRadar

Expand all | Collapse all

Assignament to user an Offense

  • 1.  Assignament to user an Offense

    Posted Mon June 15, 2020 11:50 AM
    Edited by Marcos _ Mon June 15, 2020 11:52 AM
    Well, I wanted to know, please, if it is possible to assign an offense to a user automatically every time the offense is launched.

    Maybe it could be done by API? If so, could you please tell me how?

    Thank you very much in advance.

    ------------------------------
    Marcos _
    ------------------------------


  • 2.  RE: Assignament to user an Offense

    Posted Mon June 15, 2020 02:04 PM
    I found the following API endpoint which can be used to update an offense: POST /siem/offenses/{offense_id}
    In the request the parameter "assigned_to" contains the username to which the offense should be assigned.

    I do not know how you can automate offense assignment. Maybe using an offense rule and a custom actions script with the API request as a rule action.


  • 3.  RE: Assignament to user an Offense

    Posted Tue June 16, 2020 03:59 AM
    Thank you very much for answering.
    But I've tried to try and I can't find a way to tell you in the api that it's always when the name offense jumps out.

    The way to automate it I know how to do it, but I search in the API for the curl code

    (example:

    curl -s -X POST -H 'Version: 11.0' -H 'Accept: application/json' 'https://qradar.xxxxxx.xx/api/siem/offenses/123456?assigned_to=markos&description=TEST Markos (TEST) containing Search Executed)

    Thank you in advance

    ------------------------------
    Marcos _
    ------------------------------



  • 4.  RE: Assignament to user an Offense

    Posted Fri September 11, 2020 08:51 AM
    Hi Mar,

    Could you please share me details on how to automate

    ------------------------------
    USF SIEM
    ------------------------------