Hi Jean-Luc
I defined a custom python script under Custom Actions > Define Actions in order to block attacker IP when a SIEM rule is matched.
The purpose of this script is to block an attacker IP address on fw side, to do this the Qradar connects the firewall via SSH and add the IP address to a blacklist.
The attacker IP address is passed to the script via Network event Property (which is automatically populated by Qradar when SIEM rule is matched).
Username and password for firewall SSH connection are passed via Fixed Property.
Next improvement to the script is to add a note to the offense about the IP that was blocked.
I need that Qradar automatically passes the offense ID to the script, in this way the script can add the note.
Offense id is not included in Network Event Property, than I have to find a different way :(
Thank you for the support.
------------------------------
alessandro siracusa
------------------------------
Original Message:
Sent: Fri July 05, 2019 01:07 PM
From: Jean-Luc Labbe
Subject: Custom action - how to pass the offense id
Hi Alessandro,
AFAIK you are not going to be able to retrieve the offense_id the way you are trying to do it.
So unless someone comes up with a "magic trick", it would help if you could explain what you are trying to achieve (in other words, a detailed description of your specific use case) so that the "Community" can try and suggest ways to approach and implement your specific use case.
my2cs
------------------------------
Jean-Luc Labbe
Cognitive Security Intelligence, Europe
IBM Security
Original Message:
Sent: Fri July 05, 2019 03:52 AM
From: alessandro siracusa
Subject: Custom action - how to pass the offense id
Hi team
Is it possible to pass the offense id to a custom action script?
ID doesn't seem to be a Network Event Property which can be passed to a custom action script.
Thank you
------------------------------
alessandro siracusa
------------------------------