IBM Security QRadar SOAR

 View Only
  • 1.  App function that query API at regular interval

    Posted Wed February 24, 2021 09:02 AM
    Hello,

    We have a platform which contain alerts. We want the Resilient APP to query the API the platform every minute (or 5 min) and create an Resilient Incident for each alerts found with the API. That mean that the Resilient rules will no more be the trigger, but it will be the function. Is it possible to accomplish that ? If yes how to do it ?

    Regards
    Thanks

    ------------------------------
    Ekham Ramdul
    ------------------------------


  • 2.  RE: App function that query API at regular interval

    Posted Wed February 24, 2021 12:16 PM
    Hi Ekham,

    Of course you can do it what you want via API to API communication, its about your imagination.

    If your main purpose is convert alerts to incidents, another way is that if your platform that contains alerts can send mail for alerts, you can send these mails to your Resilient. Then you can create incident from alerts with using Generic Email Parsing Script

    ------------------------------
    Burak Karaduman
    ------------------------------



  • 3.  RE: App function that query API at regular interval

    Posted Thu February 25, 2021 08:49 AM
    Hi Ekham

    You can write a polling app. Examples of apps that poll and create incidents in our community apps github are:

    • fn_microsoft_security_graph
    • fn_proofpoint_tap
    • fn_proofpoint_trap 
    • fn_secureworks_ctp
    • fn_cb_protection

    Hope that helps.

    AnnMarie

    ------------------------------
    AnnMarie Norcross
    ------------------------------