IBM Security QRadar SOAR

Hi, I'm looking for ideas on how to "export" a selection of data fields for a selection of incidents on an automated timed schedule (e.g. daily) to be used for management reporting dashboards.
- basically what you get by using the "incidents" view with filters and selected columns (presets) from SOAR and using the "export selected" option.

Can this be produced in any scheduled (automated) way?

Or is there an alternative to "pull" selected data from SOAR ? 

Thanks

------------------------------
Guido Janssens
------------------------------

Hi Guido,

You can pull the incidents using the REST APIs.  I think you would use  "post" with  "...​/orgs​/{org_id}​/incidents​/query".  Take a look at the documentation from your console in the About menu and then API Tools.  You would have to develop a script or program and schedule its execution.

You could also take a look at the Data Feeder for SOAR extension.  This app allows you to export incidents at specified intervals and maintain a replica of the incidents in another format.  Basically, you install the app and then you add one plugin for the type of replication available like ODBC, splunk, ...
Have a look at https://exchange.xforce.ibmcloud.com/hub?ippr=All&br=Resilient&ippc=All&q=feeder

HTH

------------------------------
Pierre Dufresne
------------------------------

Original Message:
Sent: Thu May 12, 2022 05:49 AM
From: Guido Janssens
Subject: Reporting (export or api) a data selection from SOAR on a time schedule

Hi, I'm looking for ideas on how to "export" a selection of data fields for a selection of incidents on an automated timed schedule (e.g. daily) to be used for management reporting dashboards.
- basically what you get by using the "incidents" view with filters and selected columns (presets) from SOAR and using the "export selected" option.

Can this be produced in any scheduled (automated) way?

Or is there an alternative to "pull" selected data from SOAR ? 

Thanks

------------------------------
Guido Janssens
------------------------------

Pierre, thank you for the suggestions. We'll continue on these

------------------------------
Guido Janssens
------------------------------

Original Message:
Sent: Thu May 12, 2022 01:28 PM
From: Pierre Dufresne
Subject: Reporting (export or api) a data selection from SOAR on a time schedule

Hi Guido,

You can pull the incidents using the REST APIs.  I think you would use  "post" with  "...​/orgs​/{org_id}​/incidents​/query".  Take a look at the documentation from your console in the About menu and then API Tools.  You would have to develop a script or program and schedule its execution.

You could also take a look at the Data Feeder for SOAR extension.  This app allows you to export incidents at specified intervals and maintain a replica of the incidents in another format.  Basically, you install the app and then you add one plugin for the type of replication available like ODBC, splunk, ...
Have a look at https://exchange.xforce.ibmcloud.com/hub?ippr=All&br=Resilient&ippc=All&q=feeder

HTH

------------------------------
Pierre Dufresne

Original Message:
Sent: Thu May 12, 2022 05:49 AM
From: Guido Janssens
Subject: Reporting (export or api) a data selection from SOAR on a time schedule

Hi, I'm looking for ideas on how to "export" a selection of data fields for a selection of incidents on an automated timed schedule (e.g. daily) to be used for management reporting dashboards.
- basically what you get by using the "incidents" view with filters and selected columns (presets) from SOAR and using the "export selected" option.

Can this be produced in any scheduled (automated) way?

Or is there an alternative to "pull" selected data from SOAR ? 

Thanks

------------------------------
Guido Janssens
------------------------------