XSOAR Qradar Ingestion

michaelsysec242 — Sun, 13 Feb 2022 08:32:05 GMT

I am attempting to ingest Qradar into the XSOAR using the Integration. I need to pull custom fields from the SIEM and what I need to understand is as follows;

Is it preferable to pull these fields within an AQL Search at the playbook stage ?

Or is it preferable to pull these fields from Qradar Integration setting ?

The use case is as follows;

I am dealing with a SIEM that has different fields assigned per offence type. For example, Target Domain(Custom) appears in a particular offence and under a different name in a different offence. I do not have access to change the Qradar Fields.

My preferable solution would be to perform a search according to each type within the playbook.

Can someone provide me with an example of a simple AQL Query for pulling a Custom field and its contents for a specific offence ?

Thanks in Advanced

Re: XSOAR Qradar Ingestion

gfilippov — Sat, 19 Feb 2022 20:37:09 GMT

Hi,

Unless you have a special reason to do it form the playbook then to set it in the integration instance setting would be proffered:
1. You'll save resources by not executing unnecessary commands in the playbook
2. You'll be able to map those Qradar custom fields using the Classification & Mapping XSOAR feature, which will also allow the optimal usage of pre-processing rules and more.

In this care you I think that it all depends on the amount of custom fields, and based on that you'll know which approach is better for you.

Please contact IBM regarding technical questions for Qradar's AQL, examples can be found here:
https://www.ibm.com/docs/en/qsip/7.4?topic=aql-ariel-query-language

thanks.

topic XSOAR Qradar Ingestion in Cortex XSOAR Discussions

XSOAR Qradar Ingestion

Re: XSOAR Qradar Ingestion