Hi Karan,
It sounds like you should ask this question in the QRadar SIEM community. If the problem is the creation of offenses then this is before the plug-in is involved. This SOAR community is a great place to ask questions about the plug-in since it is a SOAR developed application.
The QRadar SIEM community is the best place to ask about offense creation. That community has a a high number of QRadar focused people, far more than the SOAR community.
As someone who supports the plug-in, I do not know the level of detail about offenses and rules that you need.
------------------------------
BEN WILLIAMS
------------------------------
Original Message:
Sent: Thu May 23, 2024 02:53 AM
From: karan kisnani
Subject: Offense escalation in QRadar SOAR
I've encountered an issue with offense escalation in QRadar SOAR that I'd like to address.
In QRadar, I'm facing an issue where a rule generates offenses whenever a device attempts to access a port in a reference set. Each new attempt by a different device adds to an existing offense instead of creating a new one. How can I adjust the rule to ensure a new offense is created for each new attempt by a different device?
Selecting 'index offense based on source IP' generates new offenses, but the 'destination port' is not included in the offense summary. This is essential for our SOAR playbooks that rely on Source IP, Destination IP, and Destination Port information. The missing destination port value is disrupting our workflows.
My end goal is to forward offenses that include the destination port, source IP, and destination IP to SOAR. I have a template created for this information, but as mentioned, the rule should be configured correctly before escalation. Any advice would be greatly appreciated.
------------------------------
karan kisnani
------------------------------