IBM Security QRadar SOAR

 View Only
  • 1.  search automation ldap and others

    Posted Wed July 01, 2020 04:04 PM
    Hi,

    I need to automate ldap search and other functions whenever, for example, an incident that comes from qradar has a string or user account. I tried to create a rule that calls the workflow responsible but it was not triggered. Attached is the image of the rule




    ------------------------------
    Vítor Fagundes Alves Nogueira
    ------------------------------


  • 2.  RE: search automation ldap and others

    Posted Thu July 02, 2020 07:07 AM

    From the image you posted above you have created two conditions on the Artifact Type for the artifact having both a String and a User Account at the same time.   To fix this you can either:

    1. Create 2 different rules that trigger the same workflow.  One rule for the String artifact type and another for the User Account artifact Type
    2. You could also click "Any" next "All", which would trigger the rule if any of the conditions were true.
    3. Alternatively you could click "Advanced" underneath the name of the rule and write a complex set of logic.  In this case you would write "1 or 2"


    ------------------------------
    MICHAEL LYONS
    ------------------------------



  • 3.  RE: search automation ldap and others

    Posted Thu July 02, 2020 02:18 PM
    Vitor,

    I personally would do recommendation #2 from @MICHAEL LYONS as that would be the easiest to cover the "OR" statement that you have in your initial post. Then you would only have one rule and any of the conditions if they are matched would trigger it.​​

    ------------------------------
    Richard Giesige
    Security Engineer
    Oshkosh Corporation
    Oshkosh
    ------------------------------