@PABLO ROBERTO GARCIA and
@Jasmine1. Create a custom rich text field in Resilient for the QRadar URL.
2. In the Resilient app for QRadar, you can create an escalation template with that custom field containing:
<a href="https://qradar_ip/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId={{offense.id}}&pageNumber=1&bt.label.0=All+Offenses&bt.url.0=%2Fconsole%2Fdo%2Fsem%2Foffensesearch%3Fdispatch%3DperformDefaultSearch%26appName%3DSem%26pageId%3DOffenseList&bt.pageId.0=OffenseList">Offense in QRadar</a>
3. Add the custom field to your Resilient layout.
4. Now when a QRadar offense is escalated using the template, that field will be populated with a clickable link to the offense.
------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility
------------------------------
Original Message:
Sent: Thu November 12, 2020 03:50 AM
From: PABLO ROBERTO GARCIA
Subject: Qradar Offense link
Hello mate, thanks for sharing.
Could you explain a little bit better how you use the escalation template to pass the url?
I saw an URL but I can`t see it completely..
If have any other information useful than can be automatically escalated like this, please share with us.
Many thanks.
------------------------------
PABLO ROBERTO GARCIA
Original Message:
Sent: Wed November 11, 2020 10:13 AM
From: Liam Mahoney
Subject: Qradar Offense link
Jasmine,
If you're using the QRadar / Resilient integration to push QRadar offenses into Resilient you have another option as well. You can add the URL via the escalation template within the integration in QRadar, as long as you have a field created you'd like the link to be posted to.
For example here's what we are passing into a field 'QRadar Offense Link':
<a href="https://qradar_ip/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId={{offense.id}}&pageNumber=1&bt.label.0=All+Offenses&bt.url.0=%2Fconsole%2Fdo%2Fsem%2Foffensesearch%3Fdispatch%3DperformDefaultSearch%26appName%3DSem%26pageId%3DOffenseList&bt.pageId.0=OffenseList">Offense in QRadar</a>
I would think there are some extra parameters in this URL that could be cleaned up, but I haven't spent any time looking into it.
------------------------------
Liam Mahoney
Original Message:
Sent: Tue November 10, 2020 04:05 AM
From: Jasmine
Subject: Qradar Offense link
Hi,
Our analyst team has requested for inserting a link for access qradar offense from resilient incident. The qradar offense link is like below:
https://qradar_ip/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=offense_id
But I'm not sure that it is the secure way. What is the best approach for this issue? Any advice would be appreciated.
Best
------------------------------
Jasmine
------------------------------