IBM Security QRadar SOAR

 View Only
  • 1.  Offense escalation from QRadar

    Posted Tue March 24, 2020 08:31 AM
    Hi,
    I am fairly new to using this tool. What is the easiest way to escalate an incident from QRadar such that, the workflow can be selected automatically in resilient. I was also wondering if it would be possible to call a workflow or apply a rule using a script.

    ------------------------------
    Regards,
    K Aravind Menon
    ------------------------------


  • 2.  RE: Offense escalation from QRadar

    Posted Tue March 24, 2020 11:11 AM
    Yes, you can check content of incident name or incident description coming from QRadar in rule to set automatically incident types and add tasks, or run integration workflows on added artifacts, run a script, assigning users and team to the incident, etc...
    Be sure to follow the trainings on IBM Security Learning Academy - Resilient

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------



  • 3.  RE: Offense escalation from QRadar

    Posted Wed April 01, 2020 03:47 AM
    Thank you.

    ------------------------------
    K Aravind Menon
    ------------------------------



  • 4.  RE: Offense escalation from QRadar

    Posted Fri April 03, 2020 10:58 AM

    Hi Aravind,
    In the template that you use to escalate your offense to Resilient, the incident type is specified, for example in the IBM QRadar Integration Guide (documentation for the plugin ):

    {% if "malware" in offense.description %}
    "incident_type_ids": "Malware",
    {% else %}
    "incident_type_ids": "Other",
    {% endif %}
    "confirmed": 0
    Incident Types in Resilient, start to kick off the playbook that you have defined in the Resilient Incident that is created.



    ------------------------------
    Elizabeth Hecht
    ------------------------------