topic Re: how to re-pull QRadar case in Cortex XSOAR Discussions

how to re-pull QRadar case

JoshBoyd — Thu, 11 May 2023 17:20:35 GMT

Our client leverages QRadar as their SIEM.

will pull in all cases and then have a pre-processing rule that drops any case that does not have "MSSP" in the name.

This works 99% of the time, but there are certain times when MSSP cases get dropped and we don't we don't know why yet.

Is there a way to "re-pull" Qradar cases from QRadar if the integration has already recognized them and dropped them.

I basically want a command to call QRadar integration again for a specific offense and have it create an XSOAR case.

Any thoughts or suggestions are appreciated -

Re: how to re-pull QRadar case

Ivetto — Thu, 11 May 2023 19:26:02 GMT

You could always try and setup the same integration and have it classified with a different name and no pre-processing to see what could be getting missed with the pre-processing rule.

Re: how to re-pull QRadar case

chrking — Wed, 21 Jun 2023 00:45:37 GMT

Preprocess rules which drop incidents create an audit log entry when they do so, so it's worth taking a look in your audit log for the missing incidents to see if they're being dropped unexpectedly.

You should also take a look at your filtering options on the QRadar integration - it's also possible that the missing incidents were never fetched in the first place.