IBM Security QRadar SOAR

 View Only
  • 1.  Resilient-QRadar integration questions

    Posted Tue November 17, 2020 04:57 AM
    Hi All,

    I have a few questions about the QRadar-Resilient integration app.

    1. Is it possible to make the user that escalated the incident from an offense owner of the created incident?
    2. Is it possible to extract these offense fields from an offense to the escalated incident? Username, Annotations, High/Low Level Category.
    3. Is there any base format that how can we extract other fields from an offense with the escalation template?
    4. Is it possible to create an artifact from an escalated offense's Username value?
    5. is it possible to extract the QRadar rule name and content that generated the escalated offense to the created incident's Description or Note?
    6. Is it possible that after the escalation of an offense write the created Resilient incident number and if possible its URL(even in text format) in the offense note?
    7. How can we write an AQL search that extracts the "inoffense" and "start time" fields from the artifact we initiated for?
    8. How can we name the created attachment of an AQL search? We need it to correspond to the artifact we searched for. Another option that writing in the artifact description the created attachment's name.
    9. Is it possible to attach QRadar offenses to incidents other than escalation e.g. through a QRadar offense ID artifact? It would be very useful when the incident is started to process in Resilient and it turned out that other offenses are related to it.
    10. Is it possible to run AQL queries for artifacts automatically? E.g. for all log sources in the past 7 days.
    11. Is it possible to change the log source in the AQL query? Right now only the interval is alterable.

    If you could help me with these questions I would really appreciate that.

    Thank you.

    Regards,
    Adam

    ------------------------------
    Adam
    ------------------------------


  • 2.  RE: Resilient-QRadar integration questions

    Posted Tue November 17, 2020 05:17 PM
    Hello Adam,

    This is a great list of questions. I'll try to answer most of them, however in order for you to fully understand workings of the integration I recommend checking out the documentation supplemented with the integration. Let me know if some parts of it are not clear and in your opinion need more information. It is an excellent resource, that might answer most of your future questions as well.

    1. Yes, with a condition. Custom templates have `res_email' filter, however it requires email of the username creating the offense to exist in Resilient.
    2. In the template creator window there is a button `show fields`. This is the full list of information that can be entered into the template.
    3. Similar to answer 2. Documentation also provides more guidance on the usage of those fields in the template.
    4. Any of the available offense fields can be used to create custom aritfacts. This is available at the bottom of the template creation page.
    5. At the moment, only the name of the rule is available, as only that is exposed in the offense fields.
    6. The integration does that already with the link to the created incident/case.
    7. This would require some work on both Resilient and QRadar side. I would recommend starting by taking a look at "Delete from QRadar Reference Set" and "Search QRadar for offense id" rules supplied with the integration. You would need to use them as a reference and create a workflow that takes a value of an artifact and submits it to your custom QRadar query.
    To create query, I recommend to first test different options in QRadar and its search.
    8. You could chain the result of the search in your workflow with fn_utilities function string_to_attachment, which allows you to pass text, name, and incident id where attachment with your given name and content will be created.
    9. It's not supported by the plugin, however you could create a custom artifact in the template with offense_id, so you get relations through global artifacts.
    10. Yes - one of the capabilities of Resilient platform is defining automatic and manual actions that need to be executed. You could even use the workflow you are creating above and have it trigger automatically upon incident's creation.
    11. For that you might need to create your own AQL query.

    It seems like you have a clear vision for the automations you want, so I hope these answers help you achieve them!

    ------------------------------
    Ihor Husar
    ------------------------------



  • 3.  RE: Resilient-QRadar integration questions

    Posted Wed November 18, 2020 10:49 AM
    Hello Adam,

    As a follow-on to Ihor's response, the QRadar-Resilient integration can be found here. The documentation can be downloaded from that page under the "Additional Information" section on the lower righthand side. If you have any outstanding questions that our responses or the docs fail to fully address, let us know.

    Thank you,
    Brian

    ------------------------------
    Brian Reid
    ------------------------------



  • 4.  RE: Resilient-QRadar integration questions

    Posted Sat November 21, 2020 09:42 AM

    1. Is it possible to make the user that escalated the incident from an offense owner of the created incident?

    In QRadar, how is known the user that escalate the offense? can he be reference in a JINJA2 templating syntax. Example: {{ offense.id }}

    I do not think so... so my answer will be no.

    Of course, if you can find a JINJA2 field that is "the user connected", that you can send him into a field in Resilient, either as owner if it is the same ID (User Email) or using e rule/script to adapt user ==> email => owner and set ownership.

     

    My suggestion if not possible will be to set all QRadar Analyst in a Resilient Group, and assign new QRadar incident to this group, so the user will find is "own" incident in this list and can assign it to himself.


    2. Is it possible to extract these offense fields from an offense to the escalated incident? Username, Annotations, High/Low Level Category.
    Yes, but not directly as they are not in the QRadar Very limited "Offense fields" list.

    I use the QRadar Functions for Resilient App https://exchange.xforce.ibmcloud.com/hub/extension/a9bcc3eaebf2a6efc04258b4964a48a4 and the search function inside, allowing you to run arbitrary QRadar Ariel queries from Resilient workflows, and updating the incident with results. An example is included for simple search by username, ip address, or offense ID.

    Example attached in the pdf file, and also in the sample res file to import in a test environment - see attached QROC and QRadar Trial files

     

    3. Is there any base format that how can we extract other fields from an offense with the escalation template?
    Yes:
    list of fields https://YourQradarAdress/console/plugins/1055/app_proxy/mapping_screen/Triage#showfields 

    and for others information, refer to #2 here

     

    4. Is it possible to create an artifact from an escalated offense's Username value?

    Yes,

    in the template you can build artifacts from offense fields:

    image004.png@01D6BCE3.648B30D0" class="img-responsive" width="1644" height="670" border="0">

    or using #2 when you fill the table Usernames, either with maniual action like below, or the same rule automated

    image005.png@01D6BCE3.648B30D0" class="img-responsive" width="2578" height="574" border="0">

     

    5. is it possible to extract the QRadar rule name and content that generated the escalated offense to the created incident's Description or Note?
    Yes
    QRadar Offense events I assume?

    image006.png@01D6BCE3.648B30D0" class="img-responsive" width="2522" height="1078" border="0">

    See #2

     

    6. Is it possible that after the escalation of an offense write the created Resilient incident number and if possible its URL(even in text format) in the offense note?
    Yes:

    you can script in resilient a field with the URL, Org ID and Incident ID, add it in a note:
    URL: https://MyResilientServer/#incidents/MyIncidentNumber?orgId=MyOrgID

    In the Resilient integration on QRadar, Preferences, be sure to select the sync of notes

    image014.png@01D6BCE5.85F49660" class="img-responsive" width="177" height="100" border="0">

     

    Note by default, there is one, but in this case of my example, the IP is not reachable from external, so I have done it from Resilient:

    image009.png@01D6BCE3.648B30D0" class="img-responsive" width="1576" height="179" border="0">

     

     

    7. How can we write an AQL search that extracts the "inoffense" and "start time" fields from the artifact we initiated for?
    Using AQL queries and the Search function

    See #2

     

    8. How can we name the created attachment of an AQL search? We need it to correspond to the artifact we searched for. Another option that writing in the artifact description the created attachment's name.
    If you speak of "attachment", you are using the AQL from Resilient integration on QRadar.

    At the moment the result is the query rule name, and the date:

    image010.png@01D6BCE3.648B30D0" class="img-responsive" width="2502" height="194" border="0">

    This is managed by the integration on QRadar and you can't change it.

    You can propose an RFE if you want on https://2e4ccba981d63ef83a875dad7396c9a0.ideas.aha.io/ideas

    I would suggest you use the #2 sample for most of you request to use the result directly in fields and table, reserving the other for "large" number of results like original full list of 50K logs !

     

    9. Is it possible to attach QRadar offenses to incidents other than escalation e.g. through a QRadar offense ID artifact? It would be very useful when the incident is started to process in Resilient and it turned out that other offenses are related to it.
    I do not get exactly the sense of the question. could you be more precise?

    Note: some elements can be added directly from the offense to the incident as artifact:

    image011.png@01D6BCE3.648B30D0" class="img-responsive" width="505" height="344" border="0">

     

    10. Is it possible to run AQL queries for artifacts automatically? E.g. for all log sources in the past 7 days.

    Yes.

    See #2

     

    11. Is it possible to change the log source in the AQL query? Right now only the interval is alterable.
    Yes, just build the query and enter it in the search function like in #2



    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------