Hi Karan,
if I understand correctly, you are talking about the IBM SOAR QRadar plugin, right?. This allows QRadar Offenses to be automatically escalated to IBM Security SOAR under certain criteria.
As of today, with current Release of IBM QRadar SIEM 7.5.x and the current Release of IBM SOAR QRadar Plugin, i'm not aware of any option to query or map the destination port information in the plugin configuration. Although the last top 10 events that were associated to the offense containing destination port information in the offense summary. Maybe that would be an idea for a helpful feature request to further improve the integration :)
Hope you make useful progress and you'll discover an approach, that fits to your goal.
Regards,
Ralph
------------------------------
Ralph Belfiore
Managing Consultant | Senior SIEM Expert
connecT SYSTEMHAUS AG
Siegen
+491726365525
------------------------------
Original Message:
Sent: Thu May 23, 2024 03:01 AM
From: karan kisnani
Subject: Offense escalation in QRadar SOAR
In QRadar, I'm facing an issue where a rule generates offenses whenever a device attempts to access a port in a reference set. Each new attempt by a different device adds to an existing offense instead of creating a new one. How can I adjust the rule to ensure a new offense is created for each new attempt by a different device?
Selecting 'index offense based on source IP' generates new offenses, but the 'destination port' is not included in the offense summary. This is essential for our SOAR playbooks that rely on Source IP, Destination IP, and Destination Port information. The missing destination port value is disrupting our workflows.
My end goal is to forward offenses that include the destination port, source IP, and destination IP to SOAR. I have a template created for this information, but as mentioned, the rule should be configured correctly before escalation. Any advice would be greatly appreciated.