Hi I did this a while ago, this is a python script made to close offenses that have a start time of more than 12 hours. It is designed for environments where there is no SOAR or any other tool that allows to do it automatically.This script can be executed from crontab with the periodicity that you require.
Must check
- Have an authorized service token with admin privileges. Variable=SEC_TOKEN
- Network connectivity with the Qradar console through port 433. Variable=URL_base
- ID Custom Offense Close Reason
You can change:
- The text for the note inside the offense.
The step by step of how to use the script is on github in jupyter notebook format, I have tried to explain everything there https://github.com/chmedinap/Qradar-Scripts/tree/main/Close%20offense
I hope it works for you!
API Reference - Functions:
get_offenses
| Parameter |
Type |
Description |
| status |
string |
The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED". |
close_offense
POST - /siem/offenses/{offense_id}
| Parameter |
Type |
Description |
| offense_id |
num |
Required. Number - The ID of the offense. |
| closing_reason_id |
num |
Required. Number - The ID of a closing reason. |
| status |
string |
Required. Number - The status of the offense. |
add_comment
POST - /siem/offenses/{offense_id}/notes
| Parameter |
Type |
Description |
| offense_id |
num |
Required. Number - The ID of the offense. |
| notes |
string |
Required. Number - The note text. |
Documentation
------------------------------
Carlos Medina
------------------------------