IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Qradar from offense add some ioc to artifact field automatically

  • 1.  Qradar from offense add some ioc to artifact field automatically

    Posted Mon November 11, 2024 11:37 AM

    Hello everyone,

    I'm new around here and currently learning how to use QRadar. We've successfully installed the QRadar SIEM plugin for SOAR, and and can now send offenses to SOAR using the "Send to SOAR" button. However, we're facing an issue where the artifact field isn't automatically populated, and we have to fill it in manually. Does anyone have any tips on how to automatically include all IoCs from events in offense into artifacts?

    Best regards, Hanif



    ------------------------------
    Hanif Kurniawan Atmanto
    ------------------------------


  • 2.  RE: Qradar from offense add some ioc to artifact field automatically

    Posted Tue November 12, 2024 12:10 PM

    Hi Hanif,

    You can build a new template from escalations tab in QRadar SIEM plugin for SOAR and select the checkbox for "Source Addresses", "Local Destination Addresses " and "Offense Source" to generate artifacts automatically for them in SOAR. You can also map other offense fields (if needed) to create custom artifacts. You need to use this template while escalating offenses to SOAR. 



    ------------------------------
    DillipNath
    ------------------------------

    Original Message


Related Content