Hi everyone,
I'm trying to figure out what's the best way to run a SOC in Resilient with QRadar as an integration,
My conclusion was that I wanted to build a workflow for each QRadar offense Type, (Excessive firewall denies, Multiple Login failures, Large outbound of data transfer and so on) Yes it could be a big project, I know, but I don't know a better way to do it.
What I'm asking for is:
I'm using the QRadar Search in Resilient to parse information from the Offense in QRadar into a Data table, And I know that the analyst uses 3 different searches in QRadar to analyse the "Excessive firewall denies" offense in QRadar,
so I wanted Resilient to do these searches automatically and parse into 3 different Data tables, the problem is, that every times I create a new data table, I need to create a new API name for the row, even though I wanted to use the same row API name, fx (Source ip, Destination ip, source port and destination port) I could of cause call the API name Source_IP_1, Source_IP_2 and Source_IP_3 But it would be a bit of a mess, if I have 3 searches for each QRadar offense type.
If anyone else have a better way to get the information into Resilient, then I open for any kind of advice.
------------------------------
Philip Wahlstrøm
------------------------------