IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Define conditions in IBM QRadar SOAR Plugin to forward Offense Event from SIEM to SOAR

    Posted Tue July 16, 2024 11:26 PM
    Edited by On Chi Thanh Tue July 16, 2024 11:37 PM

    Dear everyone, I need to filter the Offense from SIEM to SOAR by conditions like pic below.

    Triggered condition is (severity > 4 AND description equal to Bruteforce:*).

    The problem is that I don't know how to express the operators for "severity" field with the integer format.

    May I define simple like ">4" or "\b-?(4|[5-9]|[1-9][0-9]*)\b" (regular expressions) for this case ?

    Regards!



    ------------------------------
    Benny On
    ------------------------------



  • 2.  RE: Define conditions in IBM QRadar SOAR Plugin to forward Offense Event from SIEM to SOAR

    Posted Wed July 17, 2024 04:05 AM

    Hi Benny,

    The plug-in supports fnmatch which does not have as much of a wide choice of expressions compared with regex.



    ------------------------------
    BEN WILLIAMS
    ------------------------------

    Original Message


  • 3.  RE: Define conditions in IBM QRadar SOAR Plugin to forward Offense Event from SIEM to SOAR
    Best Answer

    Posted Wed July 17, 2024 11:41 PM
    Edited by On Chi Thanh Thu July 18, 2024 12:08 AM

    Dear Ben,

    Thank you for your information,

    I have found this documents: "https://www.ibm.com/docs/en/qradar-common?topic=escalations-automatic".

    So best practice answer for the "severity" is [5-9]



    ------------------------------
    On Chi Thanh
    ------------------------------

    Original Message


Related Content