IBM Security QRadar

Hello,

Is there a way to auto assign offenses to an analyst based on the offense type or rule that triggered the offense?

------------------------------
Josh
------------------------------

Hi Josh,

with the help of the qradar api and for example a python script you should be able to implement your requirements.
The attributes for offense_type and assigned_to are available to you there. Hope that helps you first.
Further information can be found in the API documentation in the section /siem/offenses /{offense_id}

Regards,
Ralph

------------------------------
Ralph Belfiore
SIEM Expert
pro4bizz GmbH
Karlsruhe
+4972190981727
------------------------------

Original Message:
Sent: Tue November 23, 2021 05:33 PM
From: Josh V
Subject: Auto assign offense

Hello,

Is there a way to auto assign offenses to an analyst based on the offense type or rule that triggered the offense?

------------------------------
Josh
------------------------------

Hello @Josh V ,

You can do this on your own as specified by Ralph.

There is also an alternative with an app that do the job from the company ScienceSoft : QIN (QRadar Incident Notifier).

https://exchange.xforce.ibmcloud.com/hub/extension/7fcc709a5d2aa4eec6daca7192d8253c

Regards,
Zoldax
​

------------------------------
@zoldax

https://www.youracclaim.com/users/pascal-weber.029e134d/badges
------------------------------

Original Message:
Sent: Tue November 23, 2021 05:33 PM
From: Josh V
Subject: Auto assign offense

Hello,

Is there a way to auto assign offenses to an analyst based on the offense type or rule that triggered the offense?

------------------------------
Josh
------------------------------

Hi Josh. Did you figure out a way to do this in Qradar? 

I can't believe they didn't have the feature in 2021 and still don't.

------------------------------
Luke Sawyer
------------------------------

Original Message:
Sent: Tue November 23, 2021 05:33 PM
From: Josh V
Subject: Auto assign offense

Hello,

Is there a way to auto assign offenses to an analyst based on the offense type or rule that triggered the offense?

------------------------------
Josh
------------------------------

Hi Luke,

executing a custom action script (python, bash or pearl), unfortunately this option is missing in rules of type "offense rules". This would be the right place regarding to the starting question of Josh two years ago :) The stumbling point here is, to "auto assign" a specific offense to a specific user, you'll need the offense id first! 

But the offense id does not exist until the offense is created. This happens a little moment later. That's the reason why "auto assigning based on an offense type or id" is still a challenge. So, if a Event Rule triggers and you are responding in your rule to that trigger, this is a little bit tricky.

It depends on your rule design, options you are using and if your rule triggers to create an offense, the time-frame or delay till the offense id is available.

The nice script provided by Carlos works like a charm as a rule response option for "Event Rules". There you can choose "Execute Custom Action" as an additional "Rule Response Option".

At this point to achieve your "goal", you can work around with a modified filter query within your python script to get your selection of Offenses you want to "auto-assign", for example "status=open and categories contains("New Host Discovered")". Here for example, you can consider to pass the category you wanna focus on as a parameter to your script.

How to create a custom action script you'll find further infos here: https://www.ibm.com/docs/en/qradar-on-cloud?topic=actions-passing-parameters-custom-action-script.

it is not a perfect solution, but it can be implemented pragmatically with the existing possibilities in QRadar. So I also use this in my lab and can show that it works until there is something better :)

Regards,

Ralph

------------------------------
Ralph Belfiore
SIEM Expert
pro4bizz GmbH
Karlsruhe
+4972190981727
------------------------------

Original Message:
Sent: Fri October 20, 2023 06:09 PM
From: L W
Subject: Auto assign offense

Hi Josh. Did you figure out a way to do this in Qradar? 

I can't believe they didn't have the feature in 2021 and still don't.

------------------------------
Luke Sawyer

Original Message:
Sent: Tue November 23, 2021 05:33 PM
From: Josh V
Subject: Auto assign offense

Hello,

Is there a way to auto assign offenses to an analyst based on the offense type or rule that triggered the offense?

------------------------------
Josh
------------------------------

Hi, I made you a script. I tested it in a test environment and it worked.

https://colab.research.google.com/drive/1_G0u8C_zBRstlwOPPfrV5hZ_FEEVyrGL?usp=sharing

------------------------------
Carlos Medina
------------------------------

Original Message:
Sent: Tue November 23, 2021 05:33 PM
From: Josh V
Subject: Auto assign offense

Hello,

Is there a way to auto assign offenses to an analyst based on the offense type or rule that triggered the offense?

------------------------------
Josh
------------------------------

Ohh I didn't notice this post was from 2 years ago xD

------------------------------
Carlos Medina
------------------------------

Original Message:
Sent: Tue November 23, 2021 05:33 PM
From: Josh V
Subject: Auto assign offense

Hello,

Is there a way to auto assign offenses to an analyst based on the offense type or rule that triggered the offense?

------------------------------
Josh
------------------------------