Got a QRadar integration.
It's suppose to pull back offenses with magnitude > 4
However, our metrics are much higher than what the client expects.
When reviewing this case got pulled into XSOAR:
However, when exporting QRadar, the incident has the following:
In the second column you can see magnitude has a value of 2; so in theory I don't think this should have ever created an incident within XSOAR.
Can you kindly share the integration instance settings? namely the query used for fetch. If set correctly, XSOAR should not be returning any incidents from the API with 'magnitudes' under threshold - used to filter 'fetch'
I also suggest test query in Qradar API playground to ensure it performs as expected. If it doesn't, cross reference the search/query syntax with Qradar documentation, test again Qradar API playground, then update you integration instance in XSOAR.
Hope this helps.
Whats confusing is if look at example incident 201769, the magnitude is recorded as 5 under the incident's QRadar Offense tab.
Then if I go run the following in the playground it shows a magnitude of 2.
Can a user modify the magnitude of an offense?
No, This is a calculation based on the Severity, Relevance and Credibility.
From the details you have given so far, there is a discrepancy between Q and XSOAR. What you can do here is to use the same query in the QR interactive API guide and find out if the returned result is the same if it is this has to be raised with QR support.
Query Examples : https://www.ibm.com/docs/en/qsip/7.3.3?topic=api-filter-syntax
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!