IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

How to modify the "Assigned to" field in QRadar from SOAR

  • 1.  How to modify the "Assigned to" field in QRadar from SOAR

    Posted Thu April 21, 2022 01:51 PM
    Hi everyone,

    We have installed the SOAR plugin in our QRadar installation and it is working fine.
    I have configured an escalation template  to associate the QRadar offense field {{ offense.assigned_to }} to the SOAR field "QR Assigned" that was created upon the installation of the "QRadar Enhanced Data Migration" extension in SOAR.
    When the value of the QRadar field "Assigned to" is changed, the "QR Assigned" in SOAR is automatically updated but the reverse is not true: a change in SOAR does not update the QRadar field.
    Is this an option that needs to be configured in the SOAR plugin?
    Is there another way of doing this?  Like a SOAR function or an API call?
    My use case is this: the offense in QRadar will automatically escalate to SOAR where some script will assign the incident to someone. We would like to update the QRadar offense with the name of the owner of the incident in SOAR.

    Note: our QRadar and SOAR installation are in the cloud and both share the same user names. 

    Thanks for your help

    ------------------------------
    Pierre Dufresne
    ------------------------------


  • 2.  RE: How to modify the "Assigned to" field in QRadar from SOAR

    Posted Mon April 25, 2022 09:43 AM

    Hi Pierre,

    We are working on an update to the QRadar Enhanced Data Migration to automatically refresh the fields and data tables in SOAR with the updated values from QRadar Offense/Events. The updated app should be available on App Exchange in a week or two. Let us know if that would address your use case.

    Thanks,

    Chaitanya



    ------------------------------
    Chaitanya Challa
    ------------------------------

    Original Message