Hi,
I have seen the recent post about the Event Enrichment by
Pipotron 2.0 but I think it's a slightly different case.
I want to be able to enrich offenses with information such as CMDB or similar. I have reviewed the comments made on the aforementioned post but I couldn't really find a solution that will be suitable for me.
The idea is an offense is triggered and based on a unique id or item within the offenses I can enrich it with information from CMDB or similar. I haven't found way to link CMDB or just a "look up table" within Qradar or Resilient to enrich the offense.
There was a mention of Custom AQL Function by
Nico de Smidt and after going through the documentation I don't think this is the right approach because that would mean I would need to make an api request to retrieve the information given the thing I'm interacting with has an API to begin with. And there is a question of how would I append the information back to the offense or something else due to offenses being "immutable" due to forensic reasons as it was commented on by
Nico de Smidt.
As I mentioned above I have Qradar and Resilient instances so if I could do this from either of them or combination of both can you please provide some insight and or documentation on how to achieve this.
Thanks,
------------------------------
Mo Amiri
------------------------------