Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Close Incident when offense closed via Qradar

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Close Incident when offense closed via Qradar

L2 Linker

Hi , 
Is there any option to automatically close Incident when offense closed via Qradar ?

In the integration setting there is the option - "Close Mirrored XSOAR Incident" but it doesn't for work me.

 

6 REPLIES 6

L4 Transporter

Hi @Bar_Magnezi ,

 

Can you see any errors in the logs? Also, did you define any query in the integration? If you are only getting open offendes, closed ones cannot be mirrored. 

gyldz_0-1684487486089.png

 

I don't have any errors and I didn't define any Query...

Just to be clear ill explain exactly what I need... 

1. Firstly , An offense started

2. XSOAR makes an incident out of it and a playbook starts to run

3. The playbook is waiting for a user input , but for some reason the analyst closed the offense from the Qradar.

Is there any way to automatically close the incident when the Qradar offense got closed ?

If the mirroring configuration works as expected, the incident should automatically be closed in XSOAR. Did you select the below option from the instance configuration?

gyldz_0-1684826402232.png

 

Yes I did select this option and it still doesn't work

L3 Networker

Have you enabled mirroring on your QRadar integration? You'll need the "Mirroring Options" selector set to one of the mirror options for the "Close Mirrored XSOAR Incident" option to work.

L2 Linker

If you can not use that "mirroring options". You can create one of the post processing script which design with an automation of "qradar-offense-update"However, mirroring is the best option for this.

  • 1973 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!