Demisto-Qradar Integration

YeswanthKumar — Fri, 03 Jul 2020 04:27:19 GMT

Hi, How to filter out the incidents ingestion in to demisto from Qradar based on time.

Eg:

I have been integrated Demisto with Qradar on today and i want to start recieveing offences only generated from today.

We have done some filtering to recieve only active offeneces on integration tab (status="OPEN") but we need to recieve offences which are generated from today. Can i get the filter same as like mentioned above.

Regards,

Re: Demisto-Qradar Integration

GShriki — Fri, 03 Jul 2020 20:21:01 GMT

Hi,

This is how all integrations implement the ingestion mechanism. When you set up a new integration instance that "fetch" incidents - it will mostly look for last 10 minutes, and fetch only "alerts" from that timeframe. Then, once an incident is "fetched", the system will maintain that id, and in the next cycle it will start searching from that point onward.

Specifically for QRadar - it will start ingesting incidents from the moment you configured the instance, so you will only get QRadar Offenses that are created after the integration is activated. The query parameter that you can set up in the integration configuration will be applied on top of this time frame consideration (and not as a substitute)

Gilad

topic Demisto-Qradar Integration in Cortex XSOAR Discussions

Demisto-Qradar Integration

Re: Demisto-Qradar Integration