XSOAR Qradar Offense Ingestion Doubt

DSilva8 — Fri, 28 Jun 2024 08:45:15 GMT

Hello all,

We've a situation that we would like to clarify if it's a misconfiguration or if it is an expected behaviour.

#Qradar integration is only fetching ofenses that includes specific rule ids but qradar how it works associates new events and new rules while we do not close the offense.
This causes that for example, the rule that triggered ofense number X is not one of the identified rules to fetch ofenses in xsoar so it's not fetched to xSOAR but it can be the case that 10/20 minutes later a new alert was triggered and it's generated by a rule that is identified to be fetched to qradar.
But As the last fetched timestamp and ofense ID is higher than the time and ID of offense that was update with new events and rule IDS, it's not fetched anymore.

Is there any way to fix it?

Thanks in advance,

Davide Silva

Re: XSOAR Qradar Offense Ingestion Doubt

AbelSantamarina — Wed, 03 Jul 2024 18:14:24 GMT

Hello @DSilva8,

Can you share the query you are using in XSOAR to pull in offenses from QRadar?
I think whare you are describing is the expected behavior. Unless your query for specific rule IDs triggers new offenses in QRadar, you won't see those offenses being ingested into XSOAR. This is because they are related to other offenses that don't match your query.

topic Re: XSOAR Qradar Offense Ingestion Doubt in Cortex XSOAR Discussions

XSOAR Qradar Offense Ingestion Doubt

Re: XSOAR Qradar Offense Ingestion Doubt