1. Is it possible to make the user that escalated the incident from an offense owner of the created incident?
In QRadar, how is known the user that escalate the offense? can he be reference in a JINJA2 templating syntax. Example: {{ offense.id }}
I do not think so... so my answer will be no.
Of course, if you can find a JINJA2 field that is "the user connected", that you can send him into a field in Resilient, either as owner if it is the same ID (User Email) or using e rule/script to adapt user ==> email => owner and set ownership.
My suggestion if not possible will be to set all QRadar Analyst in a Resilient Group, and assign new QRadar incident to this group, so the user will find is "own" incident in this list and can assign it to himself.
2. Is it possible to extract these offense fields from an offense to the escalated incident? Username, Annotations, High/Low Level Category.
Yes, but not directly as they are not in the QRadar Very limited "Offense fields" list.
Example attached in the pdf file, and also in the sample res file to import in a test environment - see attached QROC and QRadar Trial files
and for others information, refer to #2 here
4. Is it possible to create an artifact from an escalated offense's Username value?
in the template you can build artifacts from offense fields:
image004.png@01D6BCE3.648B30D0" class="img-responsive" width="1644" height="670" border="0">
or using #2 when you fill the table Usernames, either with maniual action like below, or the same rule automated
image005.png@01D6BCE3.648B30D0" class="img-responsive" width="2578" height="574" border="0">
5. is it possible to extract the QRadar rule name and content that generated the escalated offense to the created incident's Description or Note?
Yes
QRadar Offense events I assume?
image006.png@01D6BCE3.648B30D0" class="img-responsive" width="2522" height="1078" border="0">
6. Is it possible that after the escalation of an offense write the created Resilient incident number and if possible its URL(even in text format) in the offense note?
Yes:
In the Resilient integration on QRadar, Preferences, be sure to select the sync of notes
image014.png@01D6BCE5.85F49660" class="img-responsive" width="177" height="100" border="0">
Note by default, there is one, but in this case of my example, the IP is not reachable from external, so I have done it from Resilient:
image009.png@01D6BCE3.648B30D0" class="img-responsive" width="1576" height="179" border="0">
7. How can we write an AQL search that extracts the "inoffense" and "start time" fields from the artifact we initiated for?
Using AQL queries and the Search function
8. How can we name the created attachment of an AQL search? We need it to correspond to the artifact we searched for. Another option that writing in the artifact description the created attachment's name.
If you speak of "attachment", you are using the AQL from Resilient integration on QRadar.
At the moment the result is the query rule name, and the date:
image010.png@01D6BCE3.648B30D0" class="img-responsive" width="2502" height="194" border="0">
This is managed by the integration on QRadar and you can't change it.
I would suggest you use the #2 sample for most of you request to use the result directly in fields and table, reserving the other for "large" number of results like original full list of 50K logs !
9. Is it possible to attach QRadar offenses to incidents other than escalation e.g. through a QRadar offense ID artifact? It would be very useful when the incident is started to process in Resilient and it turned out that other offenses are related to it.
I do not get exactly the sense of the question. could you be more precise?
Note: some elements can be added directly from the offense to the incident as artifact:
image011.png@01D6BCE3.648B30D0" class="img-responsive" width="505" height="344" border="0">
10. Is it possible to run AQL queries for artifacts automatically? E.g. for all log sources in the past 7 days.
11. Is it possible to change the log source in the AQL query? Right now only the interval is alterable.
Yes, just build the query and enter it in the search function like in #2
------------------------------
BENOIT ROSTAGNI
------------------------------
Original Message:
Sent: Tue November 17, 2020 04:56 AM
From: Adam
Subject: Resilient-QRadar integration questions
Hi All,
I have a few questions about the QRadar-Resilient integration app.
1. Is it possible to make the user that escalated the incident from an offense owner of the created incident?
2. Is it possible to extract these offense fields from an offense to the escalated incident? Username, Annotations, High/Low Level Category.
3. Is there any base format that how can we extract other fields from an offense with the escalation template?
4. Is it possible to create an artifact from an escalated offense's Username value?
5. is it possible to extract the QRadar rule name and content that generated the escalated offense to the created incident's Description or Note?
6. Is it possible that after the escalation of an offense write the created Resilient incident number and if possible its URL(even in text format) in the offense note?
7. How can we write an AQL search that extracts the "inoffense" and "start time" fields from the artifact we initiated for?
8. How can we name the created attachment of an AQL search? We need it to correspond to the artifact we searched for. Another option that writing in the artifact description the created attachment's name.
9. Is it possible to attach QRadar offenses to incidents other than escalation e.g. through a QRadar offense ID artifact? It would be very useful when the incident is started to process in Resilient and it turned out that other offenses are related to it.
10. Is it possible to run AQL queries for artifacts automatically? E.g. for all log sources in the past 7 days.
11. Is it possible to change the log source in the AQL query? Right now only the interval is alterable.
If you could help me with these questions I would really appreciate that.
Thank you.
Regards,
Adam
------------------------------
Adam
------------------------------