IBM Security QRadar

 View Only
Expand all | Collapse all

Resilient QRadar Integration - Escalation Conditions

  • 1.  Resilient QRadar Integration - Escalation Conditions

    Posted Wed December 16, 2020 11:00 PM

    We have been using the Resilient QRadar Integration in QRadar on Cloud for some time now and I've recently started to see some inconsistencies with how rules are naming my Offenses which inevitably impact my automation for when offenses get escalated to Resilient since my rules are using logic keying on the Description Offense Field. While I will work with IBM to figure that out, I have scoured the Internet on what the proper RegEx logic is that can be employed on Automated Escalation Conditions. I know it takes wildcards but in the tooltip it actually states "enter regexp here" leading me to believe that it should be able to take actually regular expressions thus allowing me to enter things like da\d{12,25}_-?\d{6,15}. However, this doesn't appear to be working when I can clearly match it in other tools like Python tools, Notepad++, etc. If I cannot rely on my descriptions / offense names to be consistent, I assume that keying in on offense source would be the logical next step since most of my use cases and templates leverage custom fields that have unique identifiers which I use to pull data from other external APIs.

    For example one of my use cases will always have the same offense source with the value containing "da", a bunch of numbers, and underscore and you get the rest from my RegEx I entered above.... :)

    With that said, does any know how actual regular expressions need to be entered in this QRadar Resilient Integration App? If anyone has done this (and I don't mean wildcards) and got it to work, I'd love to hear how you got it working. Since this integration lives as an app on QRadar, I assumed this was where this should be posted vs the Resilient group. Thanks!



    ------------------------------
    Mr Coco
    ------------------------------



  • 2.  RE: Resilient QRadar Integration - Escalation Conditions

    Posted Fri April 09, 2021 02:07 PM
    Try fnmatch expressions instead

    ------------------------------
    Serguei Tchesnokov
    ------------------------------