IBM Security QRadar SOAR

 View Only
  • 1.  Qradar Offense link

    Posted Tue November 10, 2020 04:05 AM
    Hi,

    Our analyst team has requested for inserting a link for access qradar offense from resilient incident. The qradar offense link is like below:

    https://qradar_ip/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=offense_id​

    But I'm not sure that it is the secure way. What is the best approach for this issue? Any advice would be appreciated.

    Best

    ------------------------------
    Jasmine
    ------------------------------


  • 2.  RE: Qradar Offense link

    Posted Tue November 10, 2020 08:10 PM
    Hello Jasmine,
    It is not unsafe, qradar_id is already a part of the case, and QRadar would require log in. What you could do is to have a script started at the creation of the incident, that would take qradar_id and insert it into the pattern you've listed above, and list it as a note, or wherever you'd like to add it.

    Let me know if that makes sense, hope it helps,

    ------------------------------
    Ihor Husar
    ------------------------------



  • 3.  RE: Qradar Offense link

    IBM Champion
    Posted Wed November 11, 2020 10:14 AM
    Jasmine,

    If you're using the QRadar / Resilient integration to push QRadar offenses into Resilient you have another option as well. You can add the URL via the escalation template within the integration in QRadar, as long as you have a field created you'd like the link to be posted to.

    For example here's what we are passing into a field 'QRadar Offense Link': 

    <a href="https://qradar_ip/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId={{offense.id}}&pageNumber=1&bt.label.0=All+Offenses&bt.url.0=%2Fconsole%2Fdo%2Fsem%2Foffensesearch%3Fdispatch%3DperformDefaultSearch%26appName%3DSem%26pageId%3DOffenseList&bt.pageId.0=OffenseList">Offense in QRadar</a>

    I would think there are some extra parameters in this URL that could be cleaned up, but I haven't spent any time looking into it.

    ------------------------------
    Liam Mahoney
    ------------------------------



  • 4.  RE: Qradar Offense link

    Posted Thu November 12, 2020 03:50 AM
    Hello mate, thanks for sharing.

    Could you explain a little bit better how you use the escalation template to pass the url?
    I saw an URL but I can`t see it completely..

    If have any other information useful than can be automatically escalated like this, please share with us.

    Many thanks.

    ------------------------------
    PABLO ROBERTO GARCIA
    ------------------------------



  • 5.  RE: Qradar Offense link

    IBM Champion
    Posted Thu November 12, 2020 10:20 PM
    @PABLO ROBERTO GARCIA and @Jasmine

    1. Create a custom rich text field in Resilient for the QRadar URL.

    2. In the Resilient app for QRadar, you can create an escalation template with that custom field containing:
    <a href="https://qradar_ip/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId={{offense.id}}&pageNumber=1&bt.label.0=All+Offenses&bt.url.0=%2Fconsole%2Fdo%2Fsem%2Foffensesearch%3Fdispatch%3DperformDefaultSearch%26appName%3DSem%26pageId%3DOffenseList&bt.pageId.0=OffenseList">Offense in QRadar</a>

    3. Add the custom field to your Resilient layout.

    4. Now when a QRadar offense is escalated using the template, that field will be populated with a clickable link to the offense.

    ------------------------------
    Jared Fagel
    Cyber Security Analyst I
    Public Utility
    ------------------------------