IBM Security QRadar SOAR

 View Only
  • 1.  QRadar integration function

    Posted Tue October 20, 2020 06:26 AM
    Hi,

    Is there any way to accomplish a QRadar-Resilient integration function that after an incident is created from an email, Resilient asks QRadar information about this incident? Like info about the artifacts, sources, anything related?

    Thank you.

    ------------------------------
    Adam
    ------------------------------


  • 2.  RE: QRadar integration function

    Posted Tue October 27, 2020 01:10 PM
    Hi Adam have reached out to our Qradar support team with your query ...currently awaiting feedback

    ------------------------------
    John Quirke
    ------------------------------



  • 3.  RE: QRadar integration function

    Posted Wed October 28, 2020 03:22 AM
    Hi John,

    Thank you very much.

    I'm looking forward to it.

    ------------------------------
    Adam
    ------------------------------



  • 4.  RE: QRadar integration function

    Posted Wed October 28, 2020 11:24 AM
    Hi Adam - The Qradar team believe this should be possible as long as the email provides a 'qradar_id' field that resilient can populate.

    ------------------------------
    John Quirke
    ------------------------------



  • 5.  RE: QRadar integration function

    Posted Wed October 28, 2020 05:59 PM
    Hi Adam,
    At the moment there isn't an easy way to set-up such a flow. You could try to see if AQL queries in Resilient QRadar integration would work for you, but it returns results as attachments.
    As of next version of the integrations, that is currently in the development, this would be possible, as your use-case is one of the use cases we are specifically addressing.
    It will come with a dependency on the new UBA app in QRadar (which itself depends on version 7.4), but it will have ready to use workflows for extracting information from QRadar offenses.

    The planned release date for it would be in late November.
    Hope this answers your question,

    ------------------------------
    Ihor Husar
    ------------------------------



  • 6.  RE: QRadar integration function

    Posted Thu October 29, 2020 03:15 AM
    Edited by System Thu November 11, 2021 11:15 AM
    Hi Ihor,

    Thank you for your answer.

    Is there any more information about the way of working and the functionalities about tit?

    ------------------------------
    Adam
    ------------------------------



  • 7.  RE: QRadar integration function

    Posted Thu November 12, 2020 08:24 AM
    Hi,

    The best way to do this is to use the QRadar integration in Resilient you can get from https://exchange.xforce.ibmcloud.com/hub/extension/a9bcc3eaebf2a6efc04258b4964a48a4 and follow the training https://www.securitylearningacademy.com/course/view.php?id=5309 to understand how it works.

    You can create the AQL queries you want to get the expected objects in Resilient, and modify the Search workflow post-process to write it at the correct place (Table, Artifact, Fields...)

    As an example of it, I have created a demo (non production ready) package you can import in a non production environment with the following queries, and table results.
    Note, this package is also replacing current Layout - so do not import it "as is" in production
    you can read the details of it's work in the attached pdf.

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------