QRadar
Integration version: 52.0
Supported QRadar deployments
This integration supports both on-premises and cloud QRadar deployments.
Network access to QRadar
API access from Google Security Operations SOAR to QRadar: Allow traffic over port 443 (HTTPS) or as configured in your environment.
Set QRadar permissions
Create a Google Security Operations SOAR user
In QRadar, click the top left icon.
Go to Admin and click Users.
Click New and fill in the information to create a new Admin user.
Create a Google Security Operations SOAR security profile
Go to Admin > User Management > Security Profiles.
Create a profile with the following settings:
- Permission Precedence: No Restrictions
- Log Sources: All Log Source Groups
- Network: All
- Domains: All Domains
Deploy changes
Click Deploy in the screen.
Create an Authorized Service to access the API
Go to Admin > User Management > Authorized Services.
Create a service with the following settings:
- Service Name: Siemplify_Application_User
- User Role: admin
- Security Profile: admin
- Expiry Date: No Expiry
Copy the generated authentication key and use it in the Google Security Operations SOAR integration settings (Deployment Wizard).
Configure QRadar integration in Google Security Operations SOAR
For detailed instructions on how to configure an integration in Google Security Operations SOAR, see Configure integrations.
Integration parameters
Use the following parameters to configure the integration:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Instance Name | String | N/A | No | Name of the Instance you intend to configure integration for. |
| Description | String | N/A | No | Description of the Instance. |
| Api Root | String | https://IP_ADDRESS |
Yes | The URL path that points to the QRadar server. |
| Api Token | Password | N/A | Yes | The API security token for authentication. |
| API Version | String | N/A | No | The API version used. |
| Run Remotely | Checkbox | Unchecked | No | Check the field in order to run the configured integration remotely. Once checked, the option appears to select the remote user (agent). |
Actions
Similar Flows Query
Description
Execute a predefined AQL query to find flows related to the specified Google Security Operations SOAR IP address entity.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Time Delta In Minutes | Integer | 10 | No | Fetch flows for the last x minutes. The parameter accepts numeric values for example, 10. |
| Flows Limit To Fetch | Integer | 23 | Yes | Limit flows that the action can return. The parameter accepts numeric values for example, 10. |
| Fields To Display | String | N/A | No | Fields to fetch from the flow in addition to predefined ones. If not set, the action returns predefined fields for the flow. |
| Source IP Address Field Name | String | N/A | No | Fields that represents Source IP Address Field of the flow. |
| Destination IP Address Field Name | String | N/A | No | Fields that represents Destination IP Address Field of the flow. |
Playbook use case example
Get information from QRadar about flows registered for the specific IP address for the last x minutes.
Run on
This action runs on the IP Address entity.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"flows": [
{
"destinationflags": 27,
"destinationpackets": 5.0,
"sourcebytes": 522.0,
"protocolid": 6,
"sourceip": "195.200.72.148",
"destinationbytes": 571.0,
"lastpackettime": 1585057251000,
"sourceflags": 27,
"sourcepackets": 5.0,
"qid": 53268795,
"flowtype": 0,
"destinationip": "37.28.155.22",
"firstpackettime": 1585057224000,
"category": 18448,
"source hostname": null,
"destination hostname": null
},
{
"destinationflags": null,
"destinationpackets": 0.0,
"sourcebytes": 78.0,
"protocolid": 17,
"sourceip": "195.200.72.148",
"destinationbytes": 0.0,
"lastpackettime": 1585057220000,
"sourceflags": null,
"sourcepackets": 1.0,
"qid": 53258563,
"flowtype": 0,
"destinationip": "8.8.8.8",
"firstpackettime": 1585057177000,
"category": 18438,
"source hostname": null,
"destination hostname": null
},
...
]
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail, nor should it stop a playbook execution:
The action should fail and stop playbook execution:
|
General |
| Table | Similar flows for entity: {0}".format(Siemplify.entity.identifier) Headers:... |
Entity |
Similar Events Query
Description
Execute a predefined AQL query to find events related to the specified Google Security Operations SOAR IP address, Hostname, or Username entities.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Time Delta In Minutes | Integer | 10 | No | Fetch flows for the last x minutes. The parameter accepts numeric values for example, 10. |
| Events Limit To Fetch | Integer | 25 | Yes | Limit events that the action can return. The parameter accepts numeric value, for example, 25. |
| Fields To Display | CSV | N/A | No | Fields to fetch from the event in addition to predefined ones. If not set, the action returns predefined fields for the event. |
| Hostname Field Name | String | N/A | No | Field that represents Hostname Field of the event. |
| Source IP Address Field Name | String | N/A | No | Fields that represents Source IP Address Field of the flow. |
| Destination IP Address Field Name | String | N/A | No | Fields that represents Destination IP Address Field of flow. |
| Username Field Name | String | N/A | No | Fields that represents Username Field of event. |
Use cases example
Get information from QRadar about events registered for the specified entity for the last x minutes.
Run on
This action runs on the following entities:
- IP Address
- Hostname
- User
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"events": [
{
"starttime": 1585288010745,
"protocolid": 255,
"sourceip": "10.0.100.250",
"logsourceid": 62,
"qid": 18750001,
"sourceport": 0,
"eventcount": 1,
"magnitude": 10,
"identityip": "0.0.0.0",
"destinationip": "10.0.100.250",
"destinationport": 0,
"category": 10008,
"username": null,
"hostname": null
},
{
"starttime": 1585288010745,
"protocolid": 255,
"sourceip": "10.0.100.250",
"logsourceid": 62,
"qid": 18750001,
"sourceport": 0,
"eventcount": 1,
"magnitude": 10,
"identityip": "0.0.0.0",
"destinationip": "10.0.100.250",
"destinationport": 0,
"category": 10008,
"username": null,
"hostname": null
},
...
]
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action should not fail, nor should it stop a playbook execution:
The action should fail and stop playbook execution:
|
General |
| Table | Similar flows for entity: {0}".format(Siemplify.entity.identifier) Headers:... |
Entity |
QRadar AQL Search
Description
Run an arbitrary AQL query against the QRadar instance. The action returns an output in CSV format.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Query Format | String | N/A | Yes | Query format to execute for example, "Select * from flows limit 10 last 10 minutes". |
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| results | N/A | N/A |
JSON result
{
"events": [
{
"username": "None",
"category": 4003,
"starttime": 1548682790158,
"destinationip": "1.1.1.1",
"eventcount": 13,
"qid": 20257872,
"magnitude": 3,
"destinationport": 53,
"protocolid": 17,
"sourceport": 50597,
"identityip": "1.1.1.1",
"sourceip": "1.1.1.1",
"logsourceid": 71
}, {
"username": "None",
"category": 8053,
"starttime": 1548682800217,
"destinationip": "1.1.1.1",
"eventcount": 1,
"qid": 20280296,
"magnitude": 3,
"destinationport": 443,
"protocolid": 6,
"sourceport": 49230,
"identityip": "1.1.1.1",
"sourceip": "1.1.1.1",
"logsourceid": 71
}
]
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The Action shouldn't fail, nor should it stop a playbook execution
The action should fail and stop a playbook execution:
|
General |
| Table | "Query results" Headers:... |
General |
Ping
Description
Test connectivity to a QRadar instance.
Parameters
N/A
Intended use cases
Testing that access to the target system is successful or not with parameters, provided at the integration configuration on the Google Security Operations Marketplace page.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | The action shouldn't fail, nor should it stop a playbook execution.
The action should fail and stop a playbook execution:
|
General |
Lookup for a Value in Reference set
Description
Check if a value is listed in a specific reference set.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Name | String | N/A | Yes | The name of the reference set to check a value. |
| Value | String | N/A | Yes | The value to check in a referenced set. |
Playbook use case example
An IP is found malicious in playbook run, check if it is listed in the Malicious_IPs reference set.
Run on
This action doesn't run on the Google Security Operations SOAR entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"timeout_type": "FIRST_SEEN",
"number_of_elements": 1,
"data": [
{
"last_seen": 1611149814345,
"first_seen": 1611149814345,
"source": "admin",
"value": "192.168.10.230",
"domain_id": null
}
],
"creation_time": 1440695740583,
"name": "Critical Assets",
"namespace": "SHARED",
"element_type": "IP",
"collection_id": 20
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | This action should not fail and not stop playbook execution:
This action should fail and stop playbook execution:
|
General |
Lookup for a Value in Reference Map
Description
Check if a value is listed in a specific reference map.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Name | String | N/A | Yes | The name of the reference map to check a value. |
| Value | String | N/A | Yes | The value to check in a referenced map. |
Playbook use case example
Check if a username is allowed to access a given IP based on reference map values.
Run on
This action doesn't run on the Google Security Operations SOAR entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"data": {
"1001": {
"last_seen": 1583903726952,
"first_seen": 1583903726952,
"source": "reference data api",
"value": "jack"
}
}
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | This action should not fail and not stop playbook execution:
This action should fail and stop playbook execution:
|
General |
Lookup for a Value in Reference Map of sets
Description
Check if a value is listed in a specific reference map of sets.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Name | String | N/A | Yes | The name of the reference map of sets to check a value. |
| Value | String | N/A | Yes | The value to check in a referenced map of sets. |
Use cases example
Check if a username is allowed to access a given IP based on reference map of setvalues.
Run on
This action runs on the Google Security Operations SOAR entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
"data": {
"192.168.1.1": [
{
"last_seen": 1583912905418,
"first_seen": 1583912905418,
"source": "reference data api",
"value": "jack, john, huey"
},
{
"last_seen": 1583913398524,
"first_seen": 1583913398524,
"source": "reference data api",
"value": "zz"
},
{
"last_seen": 1583913639025,
"first_seen": 1583913639025,
"source": "reference data api",
"value": "jane"
}
]
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | This action should not fail and not stop playbook execution:
This action should fail and stop playbook execution:
|
General |
Lookup for a Value in Reference Tables
Description
Check if a value is listed in a specific reference table.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Name | String | N/A | Yes | The name of the reference table to check a value. |
| Value | String | N/A | Yes | The value to check in a referenced table. |
Run on
This action runs on all entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"data": {
"Source_IP": {
"port": {
"last_seen": 1583933682283,
"first_seen": 1583933682283,
"source": "reference data api",
"value": "8080"
}
},
"192.168.1.1": {
"port": {
"last_seen": 1583990995600,
"first_seen": 1583990995600,
"source": "reference data api",
"value": "8080"
}
}
}
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | This action should not fail and not stop playbook execution:
This action should fail and stop playbook execution:
|
General |
Lookup for a Key in Reference Map
Description
Check if a key is listed in a specific reference map.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Name | String | N/A | Yes | The name of the reference map to check a value. |
| Key | String | N/A | Yes | The key to check in a reference map. |
Use cases example
Check if a username is allowed to access a given IP based on reference map values.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"data": {
"1001": {
"last_seen": 1583903726952,
"first_seen": 1583903726952,
"source": "reference data api",
"value": "jack"
}
}
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* | This action should not fail and not stop playbook execution:
This action should fail and stop playbook execution:
|
General |
Lookup for a Key in Reference Map of sets
Description
Check if a key is listed in a specific reference map of sets.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Name | String | N/A | Yes | The name of the reference map of sets to check a value. |
| Key | String | N/A | Yes | The key to check in a referenced map of sets. |
Use cases example
Check if a username is allowed to access a given IP based on reference map of set values.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
"data": {
"192.168.1.1": [
{
"last_seen": 1583912905418,
"first_seen": 1583912905418,
"source": "reference data api",
"value": "jack, john, huey"
},
{
"last_seen": 1583913398524,
"first_seen": 1583913398524,
"source": "reference data api",
"value": "zz"
},
{
"last_seen": 1583913639025,
"first_seen": 1583913639025,
"source": "reference data api",
"value": "jane"
}
]
}
Case wall
| Result type | Description | Type | |
|---|---|---|---|
| Output message* | This action should not fail and not stop playbook execution:
This action should fail and stop playbook execution:
|
General |
List Reference Sets
Description
List reference sets available in QRadar.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Fields To Return | String | N/A | No | Specify the fields that should be returned by the action. If nothing is provided, the action returns all available fields by default. The parameter accepts multiple values separated by comma. |
| Filter Condition | String | N/A | No | Specify a filter condition to return only specific elements, for example: element_type = IP |
| Number Of Elements To Return | Integer | 25 | Yes | Specify a maximum number of elements to return by the action. |
Use cases example
List available elements for the reference.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
[
{
"name": "Critical Assets",
"element_type": "IP"
},
{
"name": "Asset Reconciliation IPv4 Blocklist",
"element_type": "IP"
},
{
"name": "Proxy Servers",
"element_type": "IP"
}
]
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* |
This action should not fail and not stop playbook execution:
This action should fail and stop playbook execution:
|
General |
List Reference Maps
Description
List reference maps available in QRadar.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Fields To Return | String | N/A | No | Specify the fields that should be returned by the action. If nothing is provided, the action returns all available fields by default. This parameter accepts multiple values separated by comma. |
| Filter Condition | String | N/A | No | Specify a filter condition to return only specific elements, for example: element_type = ALNIC |
| Number Of Elements To Return | Integer | 25 | Yes | Specify a maximum number of elements to return by the action. |
Use cases example
List available elements for the reference.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
[
{
"name": "User1",
"element_type": "ALNIC"
},
{
"name": "User",
"element_type": "ALNIC"
}
]
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* |
This action should not fail and not stop playbook execution:
Action should fail and stop playbook execution:
|
General |
List Reference Maps of Sets
Description
List reference maps of sets available in QRadar.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Fields To Return | String | N/A | No | Specify the fields that should be returned by the action. If nothing is provided, the action returns all available fields by default. This parameter accepts multiple values separated by comma. |
| Filter Condition | String | N/A | No | Specify a filter condition to return only specific elements, for example: element_type = ALN |
| Number Of Elements To Return | Integer | 25 | Yes | Specify a maximum numbers of elements to return by the action. |
Use cases example
List available elements for the reference.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
[
{
"name": "CorrelatedAttackMap",
"element_type": "ALN"
},
{
"name": "TestMapOfSets",
"element_type": "ALN"
}
]
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* |
This action should not fail and not stop playbook execution:
Action should fail and stop playbook execution:
|
General |
List Reference Tables
Description
List reference tables available in QRadar.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Fields To Return | String | N/A | No | Specify the fields that should be returned by the action. If nothing is provided, the action return all available fields by default. The parameter accepts multiple values separated by comma. |
| Filter Condition | String | N/A | No | Specify a filter condition to return only specific elements, for example: element_type = ALN |
| Number Of Elements To Return | Integer | 25 | Yes | Specify a maximum number of elements to return by the action. |
Use cases example
List available elements for the reference.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
[
{
"name": "TestTable2",
"element_type": "ALN"
},
{
"name": "TestTable3",
"element_type": "ALN"
}
]
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* |
This action should not fail and not stop playbook execution:
This action should fail and stop playbook execution:
|
General |
Add Offense Note
Description
Add a note to a QRadar offense.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Offense ID | Integer | N/A | Yes | Offense ID to add a note to. |
| Note Text | String | N/A | Yes | Note text to add to offense. |
Playbook use cases example
Add a note on QRadar offense from Google Security Operations SOAR.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* |
This action should not fail and not stop playbook execution:
|
General |
Update Offense
Description
Update QRadar Offense.
Parameters
| Parameter Display Name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Offense ID | Integer | N/A | Yes | Offense ID to update. |
| Assigned To | String | N/A | No | User login to assign the offense to. |
| Status | DDL | " " | No | New status of the offense. |
| Closing Reason | String | N/A | No | If offense status is set to closed, you need to provide a QRadar closing reason. |
| Follow Up | Checkbox | Checkbox Unchecked | No | Specify whether offense should be marked as a follow up. |
| Protected | Checkbox | Checkbox Unchecked | No | Specify whether offense should be marked as protected. |
Playbook use cases example
Update QRadar offense back from Google Security Operations SOAR to keep QRadar offense status in sync with Google Security Operations SOAR.
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
{
"last_persisted_time": 1611143659000,
"username_count": 0,
"description": "Web\n",
"rules": [
{
"id": 100555,
"type": "CRE_RULE"
}
],
"event_count": 0,
"flow_count": 4,
"assigned_to": "admin",
"security_category_count": 1,
"follow_up": true,
"source_address_ids": [
50
],
"source_count": 1,
"inactive": true,
"protected": true,
"closing_user": null,
"destination_networks": [
"other"
],
"source_network": "other",
"category_count": 1,
"close_time": null,
"remote_destination_count": 1,
"start_time": 1610451749000,
"magnitude": 0,
"last_updated_time": 1610451887000,
"credibility": 0,
"id": 93,
"categories": [
"Web"
],
"severity": 0,
"policy_category_count": 0,
"log_sources": [],
"closing_reason_id": null,
"device_count": 0,
"first_persisted_time": 1610451722000,
"offense_type": 1,
"relevance": 0,
"domain_id": 0,
"offense_source": "37.28.155.22",
"local_destination_address_ids": [],
"local_destination_count": 0,
"status": "OPEN"
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* |
This action should not fail and not stop playbook execution:
This action should fail and stop playbook execution:
|
General |
Get Rule MITRE Coverage
Description
Get MITRE details about rules in QRadar using the Use Case Manager application.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Rule Names | CSV | Yes | Specify a comma-separated list of rule names for which the action should return MITRE details. | |
| Create Insight | Boolean | True | No | If enabled, the action creates an insight containing information about MITRE coverage of the rules. |
Run on
This action doesn't run on entities.
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| is_success | True/False | is_success:False |
JSON result
[{
"rulename": "Excessive Database Connections"
"id": "SYSTEM-1431",
"has_ibm_default": true,
"last_updated": 1591634177302,
"mapping": {
"Discovery": {
"confidence": "medium",
"user_override": false,
"enabled": true,
"ibm_default": true,
"id": "TA0007",
"techniques": {}
},
"Initial Access": {
"confidence": "low",
"user_override": false,
"enabled": true,
"ibm_default": true,
"id": "TA0001",
"techniques": {}
}
},
"min-mitre-version": 7
}
}]
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* |
This action should not fail nor stop a playbook execution:
This action should fail and stop a playbook execution:
|
General |
| Case Wall Table | Table Name: MITRE Coverage Table Columns:
|
QRadar Simple AQL Search
Description
Execute an AQL query based on parameters in QRadar.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Table Name | DDL |
Flows Possible values:
|
Yes | Specify the table that should be queried. |
| Fields To Return | CSV | * | No | Specify the fields to return. If nothing is provided, the action returns all fields. Wildcard is also supported. |
| Where Filter | String | No | Specify the WHERE filter for the query that needs to be executed.
You don't need to provide time filter, limiting and sorting. Also, you don't need to provide WHERE string in the payload. |
|
| Time Frame | DDL |
Last Hour Possible Values:
|
No | Specify the time frame for the results. If "Custom" is selected, you also need to provide "Start Time". |
| Start Time | String | No | Specify the start time for the results. This parameter is mandatory, if "Custom" is selected for the "Time Frame" parameter. Format: ISO 8601. Example: 2021-04-23T12:38Z | |
| End Time | String | No | Specify the end time for the results. Format: ISO 8601. If nothing is provided and "Custom" is selected for the "Time Frame" parameter then this parameter uses current time. | |
| Sort Field | String | No | Specify the parameter that should be used for sorting. | |
| Sort Order | DDL |
ASC Possible Values:
|
No | Specify the order of sorting. Requires the "Sort Field" parameter to be provided. |
| Max Results To Return | Integer | 50 | No | Specify the number of results to return. |
Action results
Script result
| Script result name | Value options | Example |
|---|---|---|
| results | N/A | N/A |
JSON result
{
"events": [
{
"username": "None",
"category": 4003,
"starttime": 1548682790158,
"destinationip": "1.1.1.1",
"eventcount": 13,
"qid": 20257872,
"magnitude": 3,
"destinationport": 53,
"protocolid": 17,
"sourceport": 50597,
"identityip": "1.1.1.1",
"sourceip": "1.1.1.1",
"logsourceid": 71
}, {
"username": "None",
"category": 8053,
"starttime": 1548682800217,
"destinationip": "1.1.1.1",
"eventcount": 1,
"qid": 20280296,
"magnitude": 3,
"destinationport": 443,
"protocolid": 6,
"sourceport": 49230,
"identityip": "1.1.1.1",
"sourceip": "1.1.1.1",
"logsourceid": 71
}
]
}
Case wall
| Result type | Description | Type |
|---|---|---|
| Output message* |
This action should not fail nor stop a playbook execution:
This action should fail and stop a playbook execution:
|
General |
| Case Wall Table | Table Name: Results |
Connectors
Configure QRadar connectors in Google Security Operations SOAR
For detailed instructions on how to configure a connector in Google Security Operations SOAR, see Configuring the connector.
QRadar Correlation Events Connector V2
Description
Recommended connector. Fetches QRadar offenses and forms Google Security Operations SOAR alerts for each QRadar rule added to dynamic list in Google Security Operations SOAR. Connector fetches only the offenses for rules that are added to Google Security Operations SOAR dynamic list. Connector requires minimum QRadar API version 10.1. Connector creates Google Security Operations SOAR alerts based on the rule name of QRadar offense, not the offense name.
Connector prerequisites
QRadar Indexes for required fields. The QRadar New Correlation Events Connector V2 connector uses additional fields for the events associated with the following offenses: logsource_id, creEventList, Custom Rule Partially Matched. Those fields should be indexed by default in QRadar, but it is required to make sure that these indexes are currently enabled. To check if they are enabled, in the QRadar Web UI go to Admin > Index Management. In the opened window you will find the following indexes, make sure they are enabled:
- Custom Rule
- Log Source
- Custom Rule Partially Matched
For more information, see Index management.
Max Days Backwards Recommendations The Max Days Backwards connector parameter value should be used with caution. QRadar offenses can have a lot of events, and trying to fetch those by the connector can cause excessive load on QRadar server and/or requests timeouts. Because of it, it's recommended to set the Max Days Backwards parameter to small enough values to make sure that connector is able to query QRadar for events for the configured period.
Connector usage notes
Note the following when using the connector:
QRadar Correlation Events Connector v2 keeps track of every event ingested per offense. To do that, it calculates a hash sum of events using all event data (every field for event returned by the QRadar API) and uses it as a unique identifier of the event for the offense. As a result, events that have every field identical aren't ingested for the offense. The first event is ingested and added to the related offense. However, the following ones are discarded as duplicates. The aforementioned is caused by the QRadar architecture as events in QRadar don't have unique identifiers.
QRadar Correlation Events Connector v2 creates alerts based on the dynamic list rules that are present for the offense, not for the offenses themselves. As a result, if an event in the offense is flagged by multiple dynamic list rules, this event is added to multiple Google Security Operations SOAR alerts for the related dynamic list rules.
IBM QRadar uses rules to monitor the events and flows in your network to detect security threats. When the events and flows meet the test criteria, which is defined in the rules, an offense is created to show that a security attack or policy breach is suspected.
New connector ingests offenses into Google Security Operations SOAR based only on matched rules. These rules are user-defined and need to be added to the dynamic list to ensure that Google Security Operations SOAR only ingests offenses that are relevant to the user. Therefore, once a new offense is created, the connector checks the rules that triggered the offense (rule filtering was introduced on QRadar API version 9+). If the rules are part of the dynamic list, the connector prepares the offense for ingestion.
Connector use case
Investigate an offense
IBM QRadar uses rules to monitor the events and flows in your network to detect security threats. When the events and flows meet the test criteria that is defined in the rules, an offense is created to show that a security attack or policy breach is suspected. But, knowing that an offense occurred is only the first step. Identifying how it happened, where it happened, and who did it requires some investigation.
The Offense Summary window helps you begin your offense investigation by providing context to help you understand what happened and determine how to isolate and resolve the problem.
Connector parameters
Use the following parameters to configure the connector:
| Parameter name | Type | Default Value | Description | |
|---|---|---|---|---|
| Product Field Name | String | N/A | Describes the name of the field where the product name is stored. | |
| Event Field Name | String | N/A | Describes the name of the field where the event name is stored. | |
| Environment Field Name | String | domain_name | Describes the name of the field where the environment name is stored. If environment field isn't found, environment is "". | |
| Environment Regex Pattern | String | .* | A regex pattern to run on the value found in the "Environment Field Name" field. | |
| API Root | String | https://IP_ADDRESS:port |
The QRadar server address. | |
| API Token | String | N/A | The API authentication token. | |
| API Version | String | 10.1 | The QRadar API version to be used, the Connector supports API version starting from 10.1. | |
| Domain Filter | String (CSV) | N/A | Specify QRadar domains from which offenses should be ingested. If no values are provided, the connector will ingest offenses from all domains. Parameter accepts multiple values as a comma separated string. | |
| Events Limit per Siemplify Alert | Integer | 25 | Max number of events to fetch per Google Security Operations SOAR Alert per Cycle. Can be increased to make connector run faster, if for the specified offense padding period, large numbers of events are constantly returned. | |
| Connector Events Page Size | Integer | 100 | The size of the page that connector will use to process events in batches. | |
| Max Offenses per Cycle | Integer | 10 | Max offenses to process per connector run. | |
| Script Timeout (Seconds) | Integer | 300 | Timeout limit for the python process running the current script. | |
| Max Days Backwards | Integer | 5 | Max amount of days to fetch offenses data backwards. | |
| Offenses Padding Period | Integer | 60 | Time frame in minutes to fetch offenses in minutes. | |
| Events Padding Period | Integer | 1 | Time frame in days to fetch events data. | |
| Custom Fields | String | N/A | Custom fields that are configured by the user at the QRadar, values are comma-separated. Example: Field A, Field B | |
| What Value to use for the Name Field of Siemplify Alert? | String | custom_rule | Specify what format to follow to generate names for the alerts created by the connector.
Possible values are: custom_rule or offense_description |
|
| What Value to use for the Rule Generator Field of Siemplify Alert? | String | custom_rule | Specify what format to follow to fill the rule_generator field for the alerts created by the connector.
Possible values are: custom_rule or offense_description |
|
| Create "Cannot Fetch Events for the Offense" Cases? | Checkbox | Checked | If checked, the connector will create "Cannot fetch events for the offense" warning cases if the connector can't fetch events for the updated offenses during the offenses padding period. | |
| Proxy Server Addresses | String | N/A | Proxy server address. | |
| Proxy Username | String | N/A | Proxy username. | |
| Proxy Password | Password | N/A | Proxy password. | |
| Events Limit per Qradar Offense Rule | Integer | 100 | Specify a limit for the number of events that should be ingested per a single rule in QRadar offense. No new events are ingested to the offense for the related QRadar rule once this limit is reached. Example: 100 | |
| Events Limit for Connector to Query in One Connector Run | Integer | N/A | Specify a limit for the number of events that a single offense connector should query from QRadar in one connector execution. Example: 100.
Note that the value specified in the parameter can't be lower than the value specified in the Events Limit per QRadar Offense Rule parameter. Additionally, because of how the connector fetches events, events that are older and outside the limit aren't fetched to Google Security Operations SOAR. The connector fetches the newest events until the limit specified in the Events Limit per QRadar Offense Rule parameter is reached. |
|
| Use whitelist as a blacklist | Checkbox | Unchecked | If enabled, dynamic list is used as a blocklist. | |
| Disable Overflow | Checkbox | Unchecked | If enabled, the connector overflow mechanism isn't checked for the created alerts, the "overflow" alerts aren't created, and the connector tries to fetch all offenses returned from the QRadar. | |
| Qradar Offense Rules Re-Sync Timer | Integer | 10 | No | Specify in minutes how often the connector should resync QRadar offense rules list. If the parameter is not set or is set to 0, the connector resyncs every run. |
Connector rules
Blocklist and dynamic list
The connector is ingesting offenses into Google Security Operations SOAR based on matched rules. These rules are user defined and added to a dynamic list to ensure that Google Security Operations SOAR only ingest offenses that are of interest/important to the user.
| RuleType (Dynamic list or blocklist) | RuleName (string) |
|---|---|
| Dynamic list | Local: SSH or Telnet Detected on Non-Standard Port |
| Dynamic list | Multiple Login Failures from the Same Source |
Proxy support
The connector supports proxy.
Encrypted Communications
The connector supports encrypted communications (SSL/TLS).
Unicode support
The connector supports Unicode encoding for the alerts processed.
QRadar Offenses Connector
Description
QRadar offenses connector used to fetch offenses and create Google Security Operations SOAR alerts based on the QRadar offenses themselves, in opposite how other integration's connectors do it based on the QRadar rule names. Connector has a limit of how many events in total it will fetch per QRadar offense, after reaching that limit new events will not be ingested. Connector uses Google Security Operations SOAR dynamic list, but by default if no dynamic list rules are set, it will fetch all offenses returned from the QRadar API. Connector requires QRadar API version 10.1 or higher.
Connector can be considered as an easier to configure and use version that can be utilized if there is no need to track and ingest all QRadar offense events and ingest them to Google Security Operations SOAR (as integration correlation connectors do).
Connector parameters
Use the following parameters to configure the connector:
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Product Field Name | String | N/A | Yes | Describes the name of the field where the product name is stored. |
| Event Field Name | String | N/A | Yes | Describes the name of the field where the event name is stored. |
| Environment Field Name | String | domain_name | No | Describes the name of the field where the environment name is stored. If environment field isn't found, environment is "". |
| Environment Regex Pattern | String | .* | No | A regex pattern to run on the value found in the "Environment Field Name" field. |
| API Root | String | https://IP_ADDRESS:port |
Yes | The API server address. |
| API Token | String | N/A | Yes | The API authentication token. |
| API Version | String | 10.1 | Yes | The QRadar API version to be used, the Connector supports API version starting from 10.1. |
| Total limit of events per offense | Integer | 100 | Yes | Specify how many events per QRadar offense should be ingested in total by connector, after reaching that limit new events will not be ingested for the offense. |
| Events Limit per Qradar Offence Rule | Integer | N/A | No | Specify an optional limit for how many events should be ingested per single rule in QRadar offense, no new events will be ingested to the offense for the related QRadar rule once this limit is reached. Limit can't be bigger than "Total limit of events per offense". |
| Connector Events Page Size | Integer | 100 | Yes | The size of the page that connector will use to process events in batches. |
| Max Offenses per Cycle | Integer | 10 | Yes | Max offenses to process per connector run. |
| Script Timeout (Seconds) | Integer | 300 | Yes | Timeout limit for the python process running the current script. |
| Max Days Backwards | Integer | 5 | No | Max amount of days to fetch offenses data backwards |
| Offenses Padding Period | Integer | 60 | Yes | Time frame in minutes to fetch offenses in minutes. |
| Events Padding Period | Integer | 1 | Yes | Time frame in days to fetch events data. |
| Custom Fields | String | N/A | No | Custom fields that are configured by the user at the QRadar, comma separated, eg. Field A, Field B. |
| Domain Filter | String | N/A | No | Specify QRadar domains from which offenses should be ingested. If no values are provided, the connector will ingest offenses from all domains. Parameter accepts multiple values as a comma separated string. |
| Magnitude Filter | Integer | N/A | No | Specify an offense magnitude to ingest, offenses with the magnitude equal or bigger than provided will be ingested to Google Security Operations SOAR. |
| What Value to use for the Name Field of Siemplify Alert? | String | custom_alert_name | No | Specify what format to follow to generate names for the alerts created by the connector.
Possible values are: custom_alert_name or offense_description. |
| Use whitelist as a blacklist | Checkbox | Unchecked | No | If enabled, the dynamic list will be used as a blocklist. If the checkbox is not enabled and no dynamic list rules are set, the connector will fetch all offenses returned from the QRadar API. |
| Disable Overflow | Checkbox | Unchecked | No | If enabled, connector overflow mechanism will not be checked for the created alerts - "overflow" alerts will not be created, connector will try to fetch all offenses returned from QRadar. |
| Proxy Server Addresses | String | No | Proxy server address. | |
| Proxy Username | String | N/A | No | Proxy username. |
| Proxy Password | Password | N/A | No | Proxy password. |
| Qradar Offense Rules Re-Sync Timer | Integer | 10 | No | Specify in minutes how often the connector should resync Qradar offense rules list. If the parameter is not set or is set to 0, the connector resyncs every run. |
Connector rules
Proxy Support
The connector supports proxy.
QRadar Baseline Offenses Connector
The connector fetches offenses and creates Google Security Operations SOAR alerts based on the names of QRadar offenses.
The connector creates a single Google Security Operations SOAR alert per QRadar offense, and doesn't create additional Google Security Operations SOAR alerts when new events from QRadar appear.
The connector uses the Google Security Operations SOAR dynamic list. By default, if no dynamic list rules are set, the connector fetches all offenses returned from the Qradar API.
Connector parameters
| Parameters | |
|---|---|
| Product Field Name | Required
The name of the field where the product name is stored. |
| Event Field Name | Required
The name of the field where the event name is stored. |
| Environment Field Name | Optional
The name of the field where the environment name is stored. If the environment field isn't found, the environment is set to |
| Environment Regex Pattern | Optional
A regular expression pattern to run on the value found in the Default value is |
| API Root | Required
The API server address. |
| API Token | Required
The API authentication token. |
| API Version | Required
The QRadar API version. The Connector supports API versions 10.1 and later. |
| Total limit of events per offense | Required
Specifies how many events per QRadar offense should be ingested in total by connector. After reaching the set limit, new events will not be ingested for the offense. Default value is 100. |
| Events Limit per QRadar Offense Rule | Optional
Specifies an optional limit for a quantity of events that should be ingested per single rule into a QRadar offense. No new events are ingested into the offense for the related QRadar rule once the limit set by this parameter is reached. |
| Connector Events Page Size | Required
The size of the page that connector uses to process events in batches. Default value is 100. |
| Max Offenses per Cycle | Required Max number of offenses to process per single connector run. Default value is 10. |
| Script Timeout (Seconds) | Required
The timeout limit for the python process running the current script. Default value is 300 seconds. |
| Max Days Backwards | Optional
Max amount of days from which to fetch the offenses data. Default value is 5 days. |
| Offenses Padding Period | Required
Time frame in minutes to fetch offenses. Default value is 60 minutes. |
| Events Padding Period | Required
Time frame in days to fetch events data. Default value is one day. |
| Custom Fields | Optional
Custom comma-separated fields configured by the user in QRadar, such as |
| Domain Filter | Optional
Specifies QRadar domains to ingest offenses from. If no values are provided, the connector ingests offenses from all domains. The parameter accepts multiple values as a comma-separated string. |
| Magnitude Filter | Optional
Specifies an offense magnitude to ingest. Offenses with the magnitude equal to or greater than provided will be ingested to Google Security Operations SOAR. |
| What Value to use for the Name Field of Siemplify Alert? | Optional
Specifies what format to follow to generate names for the alerts created by the connector. Default value is Possible values:
|
| Use dynamic list as a blocklist | Optional
If checked, the dynamic list is used as a blocklist. If the checkbox is unchecked and no dynamic list rules are set, the connector fetches all offenses returned from the QRadar API. Unchecked by default. |
| Disable Overflow | Optional
If enabled, the connector overflow mechanism will not be checked for the created alerts so the "overflow" alerts will not be created and the connector will fetch all offenses returned from QRadar. Unchecked by default. |
| Proxy Server Addresses | Optional
The proxy server address. |
| Proxy Username | Optional
The proxy username. |
| Proxy Password | Optional
The proxy password. |
| Qradar Offense Rules Re-Sync Timer | Optional
Specifies the interval in minutes for the connector to resync the QRadar offense rules list. If the parameter is not set or is set to 0, the connector resyncs every run. Default value is 10 minutes. |
| Create SOAR alerts for offenses with 0 events | Optional
If checked, for offenses fetched with no events, the connector creates a Google Security Operations SOAR alert using the QRadar offense data for both alert and event. Unchecked by default. |
| Offenses Creation Timer (minutes) | Optional
Specifies how long the connector waits before fetching events data for a newly created QRadar offense. |
Connector rules
The connector supports Proxy.
Connector events
The example of an event is as follows:
{
"events": [
{
"CREName": null,
"CREDescription": null,
"EventName": "WinCollect Info",
"EventDescription": "WinCollect Info",
"rulename_creEventList": [
"Destination Asset Weight is Low",
"Source Asset Weight is Low",
"Events from Windows Host - Second Rule",
"Context is Local to Local"
],
"partialmatchlist": [],
"qid": 63500003,
"category": 8052,
"sourceHostname": null,
"destinationHostname": null,
"creEventList": [
100205,
100211,
100409,
100199
],
"credibility": 5,
"destinationMAC": "01:23:45:ab:cd:ef",
"destinationIP": "192.0.2.1",
"destinationPort": 0,
"destinationv6": "2001:db8:1:1:1:1:1:1",
"deviceTime": 1583158321000,
"deviceProduct": "WinCollect",
"domainID": 0,
"duration": 10000,
"endTime": 1583165521106,
"eventCount": 1,
"eventDirection": "L2L",
"processorId": 8,
"hasIdentity": false,
"hasOffense": true,
"highLevelCategory": 8000,
"isCREEvent": false,
"magnitude": 6,
"utf8_payload": "<13>Mar 02 16:12:01 DESKTOP IBM|WinCollect|src=DESKTOP\tos=Windows 10 (Build 18363 64-bit)\tdst=\tsev=3\tlog=Code.SSLConfigServerConnection\tmsg=ApplicationHeartbeat",
"postNatDestinationIP": "198.51.100.255",
"postNatDestinationPort": 0,
"postNatSourceIP": "198.51.100.1",
"postNatSourcePort": 0,
"preNatDestinationIP": "198.0.2.255",
"preNatDestinationPort": 0,
"preNatSourceIP": "192.0.2.255",
"preNatSourcePort": 0,
"protocolName": "Reserved",
"protocolID": 255,
"relevance": 9,
"severity": 3,
"sourceIP": "192.0.2.1",
"sourceMAC": "ab:cd:ef:01:23:45",
"sourcePort": 0,
"sourcev6": "2001:db8:2:2:2:2:2:2",
"startTime": 1583165521106,
"isunparsed": false,
"userName": null
}
]
}
Jobs
SyncCloseOffenses
Description
Closes related QRadar offenses for closed Google Security Operations SOAR alerts.
Parameters
| Parameter name | Type | Default value | Is mandatory | Description |
|---|---|---|---|---|
| Api Root | String | https://IP_ADDRESS |
Yes | The URL path that points to the QRadar server. |
| Api Token | Password | N/A | Yes | The API security token for authentication. |
| API Version | String | N/A | No | The API version used. |
| Days Backwards | Integer | N/A | No | Days backwards to get offenses for. |