IBM Security QRadar SOAR

 View Only
  • 1.  Splunk ADD-ON [Event_ID field not mapped]

    Posted Tue March 09, 2021 11:56 AM
    Hello all,

    I have installed a Resilient add-on for Splunk version (1.2.0), and the automatic escalation for notable events from correlation search to Resilient Incidents works fine but the event ID not mapped to "Splunk Notable Event ID" custom filed in Resilient..any advice?

    ------------------------------
    Omar Darweesh
    ------------------------------


  • 2.  RE: Splunk ADD-ON [Event_ID field not mapped]

    Posted Wed March 10, 2021 10:35 AM
    Hello Omar,

    Thank you for your question. First things first, please make sure you have all the proper configurations in place to map the Notable Event ID to a Resilient incident (you are using Splunk ES, the custom field is created in Resilient, etc). If your configuration is good, the next thing that you will want to check is the order that your Adaptive Response Actions happen if you are automatically generating alerts in Resilient (versus manually triggering the action on an existing notable). If the action to send to Resilient comes before the notable event is actually created in Splunk, there won't be an ID to include in the incident payload. Try swapping the order in which your Adaptive Response Actions occur.

    For further reference, the documentation for SA-Resilient is located in the resilient-reference repository on Github. Have a look there to double check your configuration.
    https://github.com/ibmresilient/resilient-reference/tree/master/developer_guides/resilient-splunk-addon

    By the way, 1.2.2 (the latest version) is now available on Splunkbase!
    https://splunkbase.splunk.com/app/3861/

    ------------------------------
    Brian Reid
    ------------------------------



  • 3.  RE: Splunk ADD-ON [Event_ID field not mapped]

    Posted Mon March 15, 2021 04:45 AM
    Hello Brian,

    Thank you for your reply, the incidents now are created on IBM Resilient properly.

    There are few questions I hope that I get answers for them:

    1.  From the Splunk side, I create the Incidents on IBM Resilient Manually (Through Run Adaptive Response Actions). My question is that I want to map the additional fields in the notable event to artifacts in IBM Resilient (EX: Destination IP addresses in notable events to IP address in Incident artifacts), If this is applicable kindly advise.  or if we can map them to whatever field in Resilient kindly advise. Kindly be noted  I have tried this ($result.additional_field_label$) but no results appear.
    2. From the Splunk side, Can we create only one incident to multiple notable events. for example, we create an incident in IBM Resilient from (prohibited activity) notable event in Splunk,, and we receive another notable event with the same name (prohibited activity) in Splunk but with different details, can we update the incident with only the new details and not creating a new incident for each notable event.
    3.  This question is related to the previous one .... > From the Resilient side, "for the updating notable event status rule",, can we update multiple notable events which are connected to only one Incident.


    ------------------------------
    Omar Darweesh
    ------------------------------



  • 4.  RE: Splunk ADD-ON [Event_ID field not mapped]

    Posted Mon March 15, 2021 12:14 PM
    Hello Omar,

    Great! I'm glad to hear you are up and running. I can provide some information on your additional questions as well:

    1. You can map anything you want, provided the token ($result.example_value$) returns a value and the desired field in Resilient exists. For example, it's common to map $result.src$ to an artifact. However, this is search-dependent. I suggest using the splunk search and reporting tool to dig into your searches to see what tokens are available to you for a given search.

    2. This is not possible. As of now, the relationship between notable events and incidents is one-to-one.

    3. As you note, this is related to number 2. It is possible to update an incident in Resilient, but the relationship is one-to-one. What that means is that if you are on a recent version of SA-Resilient (latest is 1.2.2), you can uncheck the "Allow Duplicate Incidents" during setup. If SA-Resilient is configured in this manner, any notable events escalated will search Resilient for an incident with a splunk_notable_event_id field equal to the targeted notable event. If that a match is found, that event will be updated. If there is no match or your settings are configured to allow duplicate incidents, a new incident will be created.

    SA-Resilient docs: 
    https://github.com/ibmresilient/resilient-reference/tree/master/developer_guides/resilient-splunk-addon

    Splunk Searching a Reporting docs:
    https://docs.splunk.com/Documentation/Splunk/8.1.2/Overview/Searchingandreporting

    ------------------------------
    Brian Reid
    ------------------------------



  • 5.  RE: Splunk ADD-ON [Event_ID field not mapped]

    Posted Tue March 16, 2021 01:26 AM
    Hello Brian,

    Many thanks for your fast response.

    Regarding point number 1:

    • How can we map for example $result.src$ to an artifact automatically. Assume that all notable events have this field "$result.src$" how can we map it directly to an artifact in Resilient. As I see that all artifacts are in "drop down" format for choosing their type and description.. so what I am asking for I want to "$result.src$ " directly to an artifact of the type IP address in IBM Resilient.

    Note ( I know how to add artifacts directly from the API calls, but how can I fetch this field from Splunk itself.)

    ------------------------------
    Omar Darweesh
    ------------------------------