IBM Security QRadar SOAR

 View Only
  • 1.  Passing a url in a jinja template

    Posted Mon April 25, 2022 06:42 PM
    Hi,

    When SOAR is integrated with QRadar, a JINJA template must be created in QRadar to pass some offense information to the SOAR incident.
    The default value for the description of the incident when you create a new template is this:
    {{offense.event_count}} events in {{offense.category_count}} categories: {{offense.description}}

    At the end of the default value, I would like to add an HTML tag like this one:
    <a href="https://myconsole.qradar.ibmcloud.com/console/ui/offenses/{{offense.id}}" target="_blank" </a>

    I would like the link to appear in the SOAR incident description field.  When I add the text at the end of the description field in QRadar, it does not show up in the offense description in SOAR, even though the description field in SOAR is a text area.

    Has anybody have any clue?
    Thanks for your help


    ------------------------------
    Pierre Dufresne
    ------------------------------


  • 2.  RE: Passing a url in a jinja template

    IBM Champion
    Posted Tue April 26, 2022 12:01 PM

    Pierre,

    I think the HTML isn't formed correctly. Try <a href="https://myconsole.qradar.ibmcloud.com/console/ui/offenses/{{offense.id}}" target="_blank">{{offense.id}}</a> or something similar. With anchor tags (I believe) you have to specify what you would like the link to display. Since you aren't telling it to display anything that may be why you're not seeing it in the description.

    In our QRadar -> IBM SOAR integration escalation template we are supplying <a href="https://qradar.example.com/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId={{offense.id}}&pageNumber=1&bt.label.0=All+Offenses&bt.url.0=%2Fconsole%2Fdo%2Fsem%2Foffensesearch%3Fdispatch%3DperformDefaultSearch%26appName%3DSem%26pageId%3DOffenseList&bt.pageId.0=OffenseList">Offense in QRadar</a> to a Rich Text field and the link is getting generated in the IBM SOAR incident properly.



    ------------------------------
    Liam Mahoney
    ------------------------------



  • 3.  RE: Passing a url in a jinja template

    Posted Wed April 27, 2022 11:24 AM
    Hi Liam
    I corrected the syntax according to your recommendation and it worked!
    Thanks

    ------------------------------
    Pierre Dufresne
    ------------------------------



  • 4.  RE: Passing a url in a jinja template

    Posted Tue April 26, 2022 01:11 PM

    Hi Pierre,

    The "QRadar Enhanced Data Migration" SOAR app provides an OOTB tab "QRadar Offense Details" which would have a link back to the Offense. Is there any other use case where you would like the offense link to be a part of the description in addition to the link in the Offense Summary section of the tab?

    Thanks,

    Chaitanya



    ------------------------------
    Chaitanya Challa
    ------------------------------



  • 5.  RE: Passing a url in a jinja template

    Posted Wed April 27, 2022 11:37 AM
    Hi Chaitanya,
    In fact, it is after using the "QRadar Enhanced Data Migration" SOAR app that came the idea of putting the link back to the QRadar offense directly in the description.
    This way, I do not need to setup a playbook to call the "QRadar Enhanced Data Migration" function to get the link back.
    Also, I was hoping that this way of providing a link back to the QRadar offense would be a shorcut that could be used directly from the list on incidents in the Incidents menu.  Unfortunately, when the cursor hovers over the description field, the link is visible but it is not clickable.
    Thanks for your time.


    ------------------------------
    Pierre Dufresne
    ------------------------------