IBM QRadar

 View Only
  • 1.  Offense escalation in QRadar SOAR

    Posted Thu May 23, 2024 03:41 AM
    Edited by karan kisnani Fri May 24, 2024 02:04 AM

    In QRadar, I'm facing an issue where a rule generates offenses whenever a device attempts to access a port in a reference set. Each new attempt by a different device adds to an existing offense instead of creating a new one. How can I adjust the rule to ensure a new offense is created for each new attempt by a different device?

    Selecting 'index offense based on source IP' generates new offenses, but the 'destination port' is not included in the offense summary. This is essential for our SOAR playbooks that rely on Source IP, Destination IP, and Destination Port information. The missing destination port value is disrupting our workflows.

    My end goal is to forward offenses that include the destination port, source IP, and destination IP to SOAR. I have a template created for this information, but as mentioned, the rule should be configured correctly before escalation. Any advice would be greatly appreciated.



  • 2.  RE: Offense escalation in QRadar SOAR

    Posted Fri July 19, 2024 09:31 AM

    Karan

    port information is event information. So you need the events attached to your events to get the port info from. The events attached to your offense have has-offense attribute assigned to them. They belong to a different database - ariel rather than postgres - so take care. Events coming from an audit component on your servers have no port info. Using index offense based on source ip fixed your first problem - excellent. Your 2nd problem is separate and you have to use other attributes to assign the correct events and port info to your offense. Pls check all the events listed in your offense summary. There is one metaevent (at least) containing the offense name and description and top 10 events eventually containing port information depending on the type of events you are monitoring. Matching attributes between those two are eg sensor-id and offense-source and timestamp assigned.



    ------------------------------
    [Karl] [Jaeger] [#ibmchampion]
    [QRadar Specialist]
    [cnag]
    [Siegen] [Germany]
    ------------------------------



  • 3.  RE: Offense escalation in QRadar SOAR

    Posted Wed July 24, 2024 08:55 AM

    Hi Karan,

    if I understand correctly, you are talking about the IBM SOAR QRadar plugin, right?. This allows QRadar Offenses to be automatically escalated to IBM Security SOAR under certain criteria.
    As of today, with current Release of IBM QRadar SIEM 7.5.x and the current Release of IBM SOAR QRadar Plugin, i'm not aware of any option to query or map the destination port information in the plugin configuration. Although the last top 10 events that were associated to the offense containing destination port information in the offense summary. Maybe that would be an idea for a helpful feature request to further improve the integration :)
    Hope you make useful progress and you'll discover an approach, that fits to your goal.

    Regards,

    Ralph



    ------------------------------
    Ralph Belfiore
    Managing Consultant | Senior SIEM Expert
    connecT SYSTEMHAUS AG
    Siegen
    +491726365525
    ------------------------------