IBM Security QRadar SOAR

Hi All,

Is it possible that during/after escalation automatically run an AQL search based on the incident's artifacts for all log sources for the past week?

Thank you.

Regards,
Adam

------------------------------
Adam
------------------------------

Hi Adam,

In IBM Resilient QRadar Integration Configuration, Preferences tab, you can enable the option:
"Enable Resilient users to search the Ariel databases from an incident".

You can use the existing queries or create your own. Then, in an Incident, Artifact tab, you can run
the "QRadar Ariel Query" Action Rule on the desired artifact.  By default this is a manually-run action.

Hope this helps!

AnnMarie

------------------------------
AnnMarie Norcross
------------------------------

Original Message:
Sent: Wed February 05, 2020 04:56 AM
From: Adam
Subject: Automatic AQL search based on artifacts for log sources

Hi All,

Is it possible that during/after escalation automatically run an AQL search based on the incident's artifacts for all log sources for the past week?

Thank you.

Regards,
Adam

------------------------------
Adam
------------------------------

Hi AnnMarie,

Yes, I am aware of this option and that is why I asked this question because it is a manual-run action. Is there any way to do it automatically?

Thank you.

Adam

------------------------------
Adam
------------------------------

Original Message:
Sent: Wed February 05, 2020 02:29 PM
From: AnnMarie Norcross
Subject: Automatic AQL search based on artifacts for log sources

Hi Adam,

In IBM Resilient QRadar Integration Configuration, Preferences tab, you can enable the option:
"Enable Resilient users to search the Ariel databases from an incident".

You can use the existing queries or create your own. Then, in an Incident, Artifact tab, you can run
the "QRadar Ariel Query" Action Rule on the desired artifact.  By default this is a manually-run action.

Hope this helps!

AnnMarie

------------------------------
AnnMarie Norcross

Original Message:
Sent: Wed February 05, 2020 04:56 AM
From: Adam
Subject: Automatic AQL search based on artifacts for log sources

Hi All,

Is it possible that during/after escalation automatically run an AQL search based on the incident's artifacts for all log sources for the past week?

Thank you.

Regards,
Adam

------------------------------
Adam
------------------------------

Hi Adam,

If you have the fn_qradar_integration package installed, you can create your own custom automatic rules and use the existing  or create your own custom workflows and functions.  There are examples of querying reference sets for artifact items.

What do you mean by "log sources"?  Do you mean "reference sets"?

AnnMarie

------------------------------
AnnMarie Norcross
------------------------------

Original Message:
Sent: Thu February 06, 2020 02:21 AM
From: Adam
Subject: Automatic AQL search based on artifacts for log sources

Hi AnnMarie,

Yes, I am aware of this option and that is why I asked this question because it is a manual-run action. Is there any way to do it automatically?

Thank you.

Adam

------------------------------
Adam

Original Message:
Sent: Wed February 05, 2020 02:29 PM
From: AnnMarie Norcross
Subject: Automatic AQL search based on artifacts for log sources

Hi Adam,

In IBM Resilient QRadar Integration Configuration, Preferences tab, you can enable the option:
"Enable Resilient users to search the Ariel databases from an incident".

You can use the existing queries or create your own. Then, in an Incident, Artifact tab, you can run
the "QRadar Ariel Query" Action Rule on the desired artifact.  By default this is a manually-run action.

Hope this helps!

AnnMarie

------------------------------
AnnMarie Norcross

Original Message:
Sent: Wed February 05, 2020 04:56 AM
From: Adam
Subject: Automatic AQL search based on artifacts for log sources

Hi All,

Is it possible that during/after escalation automatically run an AQL search based on the incident's artifacts for all log sources for the past week?

Thank you.

Regards,
Adam

------------------------------
Adam
------------------------------

Hi AnnMarie,

I see.

I meant Source IPs.

------------------------------
Adam
------------------------------

Original Message:
Sent: Thu February 06, 2020 02:59 PM
From: AnnMarie Norcross
Subject: Automatic AQL search based on artifacts for log sources

Hi Adam,

If you have the fn_qradar_integration package installed, you can create your own custom automatic rules and use the existing  or create your own custom workflows and functions.  There are examples of querying reference sets for artifact items.

What do you mean by "log sources"?  Do you mean "reference sets"?

AnnMarie

------------------------------
AnnMarie Norcross

Original Message:
Sent: Thu February 06, 2020 02:21 AM
From: Adam
Subject: Automatic AQL search based on artifacts for log sources

Hi AnnMarie,

Yes, I am aware of this option and that is why I asked this question because it is a manual-run action. Is there any way to do it automatically?

Thank you.

Adam

------------------------------
Adam

Original Message:
Sent: Wed February 05, 2020 02:29 PM
From: AnnMarie Norcross
Subject: Automatic AQL search based on artifacts for log sources

Hi Adam,

In IBM Resilient QRadar Integration Configuration, Preferences tab, you can enable the option:
"Enable Resilient users to search the Ariel databases from an incident".

You can use the existing queries or create your own. Then, in an Incident, Artifact tab, you can run
the "QRadar Ariel Query" Action Rule on the desired artifact.  By default this is a manually-run action.

Hope this helps!

AnnMarie

------------------------------
AnnMarie Norcross

Original Message:
Sent: Wed February 05, 2020 04:56 AM
From: Adam
Subject: Automatic AQL search based on artifacts for log sources

Hi All,

Is it possible that during/after escalation automatically run an AQL search based on the incident's artifacts for all log sources for the past week?

Thank you.

Regards,
Adam

------------------------------
Adam
------------------------------