IBM Security QRadar SOAR

 View Only
  • 1.  Reporting (export or api) a data selection from SOAR on a time schedule

    InnerCircle
    Posted 14 days ago
    Hi, I'm looking for ideas on how to "export" a selection of data fields for a selection of incidents on an automated timed schedule (e.g. daily) to be used for management reporting dashboards.
    - basically what you get by using the "incidents" view with filters and selected columns (presets) from SOAR and using the "export selected" option.

    Can this be produced in any scheduled (automated) way?

    Or is there an alternative to "pull" selected data from SOAR ? 

    Thanks

    ------------------------------
    Guido Janssens
    ------------------------------


  • 2.  RE: Reporting (export or api) a data selection from SOAR on a time schedule

    Posted 14 days ago
    Hi Guido,

    You can pull the incidents using the REST APIs.  I think you would use  "post" with  "...​/orgs​/{org_id}​/incidents​/query".  Take a look at the documentation from your console in the About menu and then API Tools.  You would have to develop a script or program and schedule its execution.

    You could also take a look at the Data Feeder for SOAR extension.  This app allows you to export incidents at specified intervals and maintain a replica of the incidents in another format.  Basically, you install the app and then you add one plugin for the type of replication available like ODBC, splunk, ...
    Have a look at https://exchange.xforce.ibmcloud.com/hub?ippr=All&br=Resilient&ippc=All&q=feeder

    HTH

    ------------------------------
    Pierre Dufresne
    ------------------------------



  • 3.  RE: Reporting (export or api) a data selection from SOAR on a time schedule

    InnerCircle
    Posted 13 days ago
    Pierre, thank you for the suggestions. We'll continue on these

    ------------------------------
    Guido Janssens
    ------------------------------