IBM Security QRadar

 View Only

Q Radar and D3 SOAR event/incident (Offense) data ingestion

  • 1.  Q Radar and D3 SOAR event/incident (Offense) data ingestion

    Posted Tue November 08, 2022 06:37 AM

    Has anybody here successfully configured data ingestion from Q Radar into D3 SOAR? Curious as to the method you used to get data into D3 from Q Radar (On Cloud).

    D3 has some built in Q Radar integrations (specifically, Fetch Event and Fetch Incident). Both require an AQL search to specify criteria on the Q Radar side for the events/Incidents you want to grab and pull into D3 and basically, you set a schedule and some time interval info to poll Q Radar for the search results. Once ingested, any data polled/pulled from Q Radar become an event in D3 that you then run a playbook on to automate the IR. I am having some issues with the schedule search not finding data but the test function, using exact same search used in the schedule, finds and displays the correct data. Yes, I realize this is probably a D3 issue, working with them on it). However, I would also like to chat specifically about how you went about ingesting data from Q Radar into D3, there are several different approaches that all have their pros and cons.

    Here is an example search to find any events matching a specific QID in Q Radar:

    qid AS 'QID',
    QidName(qid) AS 'EventName',
    category AS 'LowLevelCategoryID',
    CategoryName(category) AS 'LowLevelCategory',
    highlevelcategory AS 'HighlevelCategoryID',
    CategoryName(highlevelcategory) AS 'HighlevelCategory',
    QIDDESCRIPTION(qid) AS 'EventDescription',
    magnitude AS 'Magnitude',
    relevance AS 'Relevance',
    severity AS 'Severity',
    credibility AS 'Credibility',
    userName AS 'Username',
    starttime AS 'StartTime (timestamp)',
    starttime, 'YYYY-MM-dd HH:mm:ss z'
    ) AS 'StartTime',
    endTime AS 'StorageTime (timestamp)',
    endTime, 'YYYY-MM-dd HH:mm:ss z'
    ) AS 'StorageTime',
    duration AS 'Duration',
    devicetime AS 'LogSourceTime(timestamp)',
    devicetime, 'YYYY-MM-dd HH:mm:ss z'
    ) AS 'Log Source Time',
    domainID AS 'DomainID',
    DOMAINNAME(domainID) AS 'Domain',
    eventDirection AS 'EventDirection',
    sourceip AS 'SourceIP',
    ASSETHOSTNAME(sourceip) AS 'Source Asset Name',
    sourceport AS 'Source Port',
    preNatSourceIP AS 'Pre NAT Source IP',
    preNatSourcePort AS 'Pre NAT Source Port',
    postNatSourceIP AS 'Post NAT Source IP',
    postNatSourcePort AS 'Post NAT Source Port',
    sourcev6 AS 'Source IPv6',
    sourceMAC AS 'Source MAC',
    sourceaddress AS 'Source Address',
    sourcegeographiclocation AS 'SourceGeographicLocation',
    NetworkName(sourceip) AS 'SourceNetworkName',
    destinationip AS 'DestinationIP',
    ASSETHOSTNAME(destinationip) AS 'DestinationAssetName',
    destinationPort AS 'Destination Port',
    preNatDestinationIP AS 'Pre NAT Destination IP',
    preNatDestinationPort AS 'PreNATDestinationPort',
    postNatDestinationIP AS 'PostNATDestinationIP',
    postNatDestinationPort AS 'PostNATDestinationPort',
    destinationv6 AS 'DestinationIPv6',
    destinationMAC AS 'DestinationMAC',
    destinationaddress AS 'DestinationAddress',
    destinationgeographiclocation AS 'DestinationGeographicLocation',
    NetworkName(destinationip) AS 'DestinationNetworkName',
    payload AS 'Payload (base64)',
    UTF8(payload) AS 'Payload(UTF)',
    protocolid AS 'ProtocolID',
    ProtocolName(protocolid) AS 'Protocol',
    logsourceid AS 'LogSourceID',
    LOGSOURCENAME(logsourceid) AS 'LogSource',
    HOSTNAME(logsourceid) AS 'LogSourceHostname',
    deviceGroupList AS 'DeviceGroupListID',
    LOGSOURCEGROUPNAME(deviceGroupList) AS 'DeviceGroupListName',
    deviceType AS 'DeviceTypeID',
    LOGSOURCETYPENAME(deviceType) AS 'DeviceTypeName',
    eventcount AS 'EventCount',
    creeventlist AS 'CustomRuleIDs',
    RULENAME(creeventlist) AS 'CustomRules',
    partialmatchlist AS 'CustomRulesPartiallyMatchedIDs',
    RULENAME(partialmatchlist) AS 'CustomRulesPartiallyMatched',
    geographiclocation AS 'GeographicLocation',
    hasOffense AS 'HasOffense',
    isCREEvent AS 'IsCustomRuleEvent',
    isduplicate AS 'IsDuplicateevent',
    isunparsed AS 'Eventisunparsed',
    pcappacket AS 'PCAPpacket',
    processorId AS 'EventprocessorID',
    PROCESSORNAME(processorid) AS 'EventprocessorName',
    adekey AS 'Adekey',
    adevalue AS 'Adevalue',
    identityip AS 'IdentityIP',
    identityhostname AS 'IdentityHostName',
    hasIdentity AS 'Hasidentity'
    WHERE QID = '5000910'     #standard Windows Event ID of 4740, User Account Locked Out

    If you've dealt with this combination of Q Radar/D3 SOAR, hit me up please. 


    Brian Hearn
    IT Security Engineer
    Peppermill Casinos
    Reno NV