Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-02-2020 09:27 PM
Hi, How to filter out the incidents ingestion in to demisto from Qradar based on time.
Eg:
I have been integrated Demisto with Qradar on today and i want to start recieveing offences only generated from today.
We have done some filtering to recieve only active offeneces on integration tab (status="OPEN") but we need to recieve offences which are generated from today. Can i get the filter same as like mentioned above.
Regards,
07-03-2020 01:21 PM
Hi,
This is how all integrations implement the ingestion mechanism. When you set up a new integration instance that "fetch" incidents - it will mostly look for last 10 minutes, and fetch only "alerts" from that timeframe. Then, once an incident is "fetched", the system will maintain that id, and in the next cycle it will start searching from that point onward.
Specifically for QRadar - it will start ingesting incidents from the moment you configured the instance, so you will only get QRadar Offenses that are created after the integration is activated. The query parameter that you can set up in the integration configuration will be applied on top of this time frame consideration (and not as a substitute)
Gilad
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
