IBM Security QRadar SOAR

Hi everyone,
I'm trying to figure out what's the best way to run a SOC in Resilient with QRadar as an integration, 

My conclusion was that I wanted to build a workflow for each QRadar offense Type, (Excessive firewall denies,  Multiple Login failures,  Large outbound of data transfer and so on) Yes it could be a big project, I know, but I don't know a better way to do it. 

What I'm asking for is:
I'm using the QRadar Search in Resilient to parse information from the Offense in QRadar into a Data table, And I know that the analyst uses 3 different searches in QRadar to analyse the "Excessive firewall denies" offense in QRadar,
so I wanted Resilient to do these searches automatically and parse into 3 different Data tables,  the problem is, that every times I create a new data table, I need to create a new API name for the row, even though I wanted to use the same row API name, fx (Source ip, Destination ip, source port and destination port) I could of cause call the API name Source_IP_1, Source_IP_2 and Source_IP_3 But it would be a bit of a mess, if I have 3 searches for each QRadar offense type.

If anyone else have a better way to get the information into Resilient, then I open for any kind of advice.

------------------------------
Philip Wahlstrøm
------------------------------

Hum, quite difficult to understand exactly what is the problem without a process diagram picture.
1) Offense type : Excessive firewall denies
2) Run automatically 3 QRadar searches [S1/S2/S3] (on which field / artifact) ? What are the differences between each search ? (Input / output)

3) Each Search feed a different table [T1/T2/T3] what are the difference between those tables?

If you need to use dynamic name, that change on cases, you can try to use setattr in python
for example,

​​​​

------------------------------
BENOIT ROSTAGNI
------------------------------

Original Message:
Sent: Wed March 11, 2020 10:29 AM
From: Philip Wahlstrøm
Subject: Running a SOC in Resilient with QRadar integration

Hi everyone,
I'm trying to figure out what's the best way to run a SOC in Resilient with QRadar as an integration, 

My conclusion was that I wanted to build a workflow for each QRadar offense Type, (Excessive firewall denies,  Multiple Login failures,  Large outbound of data transfer and so on) Yes it could be a big project, I know, but I don't know a better way to do it. 

What I'm asking for is:
I'm using the QRadar Search in Resilient to parse information from the Offense in QRadar into a Data table, And I know that the analyst uses 3 different searches in QRadar to analyse the "Excessive firewall denies" offense in QRadar,
so I wanted Resilient to do these searches automatically and parse into 3 different Data tables,  the problem is, that every times I create a new data table, I need to create a new API name for the row, even though I wanted to use the same row API name, fx (Source ip, Destination ip, source port and destination port) I could of cause call the API name Source_IP_1, Source_IP_2 and Source_IP_3 But it would be a bit of a mess, if I have 3 searches for each QRadar offense type.

If anyone else have a better way to get the information into Resilient, then I open for any kind of advice.

------------------------------
Philip Wahlstrøm
------------------------------

When I make new Data Tables I like to set the row api names to <table_name>_<row_name> even if I don't have any other tables using that information yet, At least that way its a bit cleaner than just Source_IP_1, Source_IP_2,etc, and you can always look at any field api name in your logs and know what table its talking about as well as have a consistent format for fields when writing scripts that may utilize multiple tables.  It also provides some scalability in case you require new data tables later on. ​

------------------------------
Griffin Snyder
------------------------------

Original Message:
Sent: Wed March 11, 2020 10:29 AM
From: Philip Wahlstrøm
Subject: Running a SOC in Resilient with QRadar integration

Hi everyone,
I'm trying to figure out what's the best way to run a SOC in Resilient with QRadar as an integration, 

My conclusion was that I wanted to build a workflow for each QRadar offense Type, (Excessive firewall denies,  Multiple Login failures,  Large outbound of data transfer and so on) Yes it could be a big project, I know, but I don't know a better way to do it. 

What I'm asking for is:
I'm using the QRadar Search in Resilient to parse information from the Offense in QRadar into a Data table, And I know that the analyst uses 3 different searches in QRadar to analyse the "Excessive firewall denies" offense in QRadar,
so I wanted Resilient to do these searches automatically and parse into 3 different Data tables,  the problem is, that every times I create a new data table, I need to create a new API name for the row, even though I wanted to use the same row API name, fx (Source ip, Destination ip, source port and destination port) I could of cause call the API name Source_IP_1, Source_IP_2 and Source_IP_3 But it would be a bit of a mess, if I have 3 searches for each QRadar offense type.

If anyone else have a better way to get the information into Resilient, then I open for any kind of advice.

------------------------------
Philip Wahlstrøm
------------------------------

Good suggestion Griffin ! ​​

------------------------------
BENOIT ROSTAGNI
------------------------------

Original Message:
Sent: Thu March 12, 2020 02:36 PM
From: Griffin Snyder
Subject: Running a SOC in Resilient with QRadar integration

When I make new Data Tables I like to set the row api names to <table_name>_<row_name> even if I don't have any other tables using that information yet, At least that way its a bit cleaner than just Source_IP_1, Source_IP_2,etc, and you can always look at any field api name in your logs and know what table its talking about as well as have a consistent format for fields when writing scripts that may utilize multiple tables.  It also provides some scalability in case you require new data tables later on. ​

------------------------------
Griffin Snyder

Original Message:
Sent: Wed March 11, 2020 10:29 AM
From: Philip Wahlstrøm
Subject: Running a SOC in Resilient with QRadar integration

Hi everyone,
I'm trying to figure out what's the best way to run a SOC in Resilient with QRadar as an integration, 

My conclusion was that I wanted to build a workflow for each QRadar offense Type, (Excessive firewall denies,  Multiple Login failures,  Large outbound of data transfer and so on) Yes it could be a big project, I know, but I don't know a better way to do it. 

What I'm asking for is:
I'm using the QRadar Search in Resilient to parse information from the Offense in QRadar into a Data table, And I know that the analyst uses 3 different searches in QRadar to analyse the "Excessive firewall denies" offense in QRadar,
so I wanted Resilient to do these searches automatically and parse into 3 different Data tables,  the problem is, that every times I create a new data table, I need to create a new API name for the row, even though I wanted to use the same row API name, fx (Source ip, Destination ip, source port and destination port) I could of cause call the API name Source_IP_1, Source_IP_2 and Source_IP_3 But it would be a bit of a mess, if I have 3 searches for each QRadar offense type.

If anyone else have a better way to get the information into Resilient, then I open for any kind of advice.

------------------------------
Philip Wahlstrøm
------------------------------

Hi Griffin, 
Thank you for your advice, that make sense,

do you also have other advice, how to make it simpel in Resilient, 
because if I want to make 3 searches for each Offense type in QRadar and put it into 3 different tables in resillient, then it could be a lot of tables that I need in Resilient. 

another question, is it possible to group rows in Resililent, fx. if the row have the same Source IP, then you could group the data, like you could do in a normal excel worksheet.

------------------------------
Philip Wahlstrøm
------------------------------

Original Message:
Sent: Thu March 12, 2020 02:36 PM
From: Griffin Snyder
Subject: Running a SOC in Resilient with QRadar integration

When I make new Data Tables I like to set the row api names to <table_name>_<row_name> even if I don't have any other tables using that information yet, At least that way its a bit cleaner than just Source_IP_1, Source_IP_2,etc, and you can always look at any field api name in your logs and know what table its talking about as well as have a consistent format for fields when writing scripts that may utilize multiple tables.  It also provides some scalability in case you require new data tables later on. ​

------------------------------
Griffin Snyder

Original Message:
Sent: Wed March 11, 2020 10:29 AM
From: Philip Wahlstrøm
Subject: Running a SOC in Resilient with QRadar integration

Hi everyone,
I'm trying to figure out what's the best way to run a SOC in Resilient with QRadar as an integration, 

My conclusion was that I wanted to build a workflow for each QRadar offense Type, (Excessive firewall denies,  Multiple Login failures,  Large outbound of data transfer and so on) Yes it could be a big project, I know, but I don't know a better way to do it. 

What I'm asking for is:
I'm using the QRadar Search in Resilient to parse information from the Offense in QRadar into a Data table, And I know that the analyst uses 3 different searches in QRadar to analyse the "Excessive firewall denies" offense in QRadar,
so I wanted Resilient to do these searches automatically and parse into 3 different Data tables,  the problem is, that every times I create a new data table, I need to create a new API name for the row, even though I wanted to use the same row API name, fx (Source ip, Destination ip, source port and destination port) I could of cause call the API name Source_IP_1, Source_IP_2 and Source_IP_3 But it would be a bit of a mess, if I have 3 searches for each QRadar offense type.

If anyone else have a better way to get the information into Resilient, then I open for any kind of advice.

------------------------------
Philip Wahlstrøm
------------------------------

Philip,

It isn't possible to "group" by default in the resilient rows but you could do that in the post-process script/function before submitting it to the resilient table. Also you can define "sort" in preview/confirm section of the data table creation.

We have to do the searches each separately and then pass them in through different functions to the tables. It does lead to a lot of tables in Resilient.

On a Side note:
I wanted to reach out and say that we are using Resilient and the Qradar integration. We are running multiple tables for data that an analyst would want to see per incident. We are using the Att&ck Matrix mapping to try and reduce the number of incident types that we need to handle. All of our events trigger off the incident type and then do specific tasks, tabs (include data for that specific response needs), and add artifacts based on what tools responds.

If you want to talk outside of the forum let me know.

------------------------------
Richard Giesige
------------------------------

Original Message:
Sent: Fri March 13, 2020 06:44 AM
From: Philip Wahlstrøm
Subject: Running a SOC in Resilient with QRadar integration

Hi Griffin, 
Thank you for your advice, that make sense,

do you also have other advice, how to make it simpel in Resilient, 
because if I want to make 3 searches for each Offense type in QRadar and put it into 3 different tables in resillient, then it could be a lot of tables that I need in Resilient. 

another question, is it possible to group rows in Resililent, fx. if the row have the same Source IP, then you could group the data, like you could do in a normal excel worksheet.

------------------------------
Philip Wahlstrøm

Original Message:
Sent: Thu March 12, 2020 02:36 PM
From: Griffin Snyder
Subject: Running a SOC in Resilient with QRadar integration

When I make new Data Tables I like to set the row api names to <table_name>_<row_name> even if I don't have any other tables using that information yet, At least that way its a bit cleaner than just Source_IP_1, Source_IP_2,etc, and you can always look at any field api name in your logs and know what table its talking about as well as have a consistent format for fields when writing scripts that may utilize multiple tables.  It also provides some scalability in case you require new data tables later on. ​

------------------------------
Griffin Snyder

Original Message:
Sent: Wed March 11, 2020 10:29 AM
From: Philip Wahlstrøm
Subject: Running a SOC in Resilient with QRadar integration

Hi everyone,
I'm trying to figure out what's the best way to run a SOC in Resilient with QRadar as an integration, 

My conclusion was that I wanted to build a workflow for each QRadar offense Type, (Excessive firewall denies,  Multiple Login failures,  Large outbound of data transfer and so on) Yes it could be a big project, I know, but I don't know a better way to do it. 

What I'm asking for is:
I'm using the QRadar Search in Resilient to parse information from the Offense in QRadar into a Data table, And I know that the analyst uses 3 different searches in QRadar to analyse the "Excessive firewall denies" offense in QRadar,
so I wanted Resilient to do these searches automatically and parse into 3 different Data tables,  the problem is, that every times I create a new data table, I need to create a new API name for the row, even though I wanted to use the same row API name, fx (Source ip, Destination ip, source port and destination port) I could of cause call the API name Source_IP_1, Source_IP_2 and Source_IP_3 But it would be a bit of a mess, if I have 3 searches for each QRadar offense type.

If anyone else have a better way to get the information into Resilient, then I open for any kind of advice.

------------------------------
Philip Wahlstrøm
------------------------------