QRadar Integration Magnitude Query not returning expected results

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

QRadar Integration Magnitude Query not returning expected results

L2 Linker

Got a QRadar integration. 
It's suppose to pull back offenses with magnitude > 4

 

However, our metrics are much higher than what the client expects.

When reviewing this case got pulled into XSOAR:

jboyd98_0-1648657803907.png



However, when exporting QRadar, the incident has the following:

jboyd98_1-1648657953036.png

 

In the second column you can see magnitude has a value of 2; so in theory I don't think this should have ever created an incident within XSOAR.

Any thoughts?

Thanks!

3 REPLIES 3

L2 Linker

Can you kindly share the integration instance settings? namely the query used for fetch. If set correctly, XSOAR should not be returning any incidents from the API with 'magnitudes' under threshold - used to filter 'fetch'

I also suggest test query in Qradar API playground to ensure it performs as expected. If it doesn't, cross reference the search/query syntax with Qradar documentation, test again Qradar API playground, then update you integration instance in XSOAR.

Hope this helps.

jboyd98_0-1648741397540.png

jboyd98_1-1648741429034.png

 

Whats confusing is if look at example incident 201769, the magnitude is recorded as 5 under the incident's QRadar Offense tab.

Then if I go run the following in the playground it shows a magnitude of 2.

!qradar-offenses-list offense_id=201769 fields=magnitude
Magnitude2

Not familiar with QRadar; can a user modify the magnitude of an offense?
Only thing I can think is that we're recording the incident when it's created and then the magnitude is changing on the qradar side.
Though xsoar recorded 400+ incidents for March, and QRadar only has 13 offenses that are >4 in March.  Client says they're not changing.


Can a user modify the  magnitude of an offense?

No, This is a calculation based on the Severity, Relevance and Credibility.  

 

From the details you have given so far, there is a discrepancy between Q and XSOAR. What you can do here is to use the same query in the QR interactive API guide and find out if the returned result is the same if it is this has to be raised with QR support.

 

Query Examples  : https://www.ibm.com/docs/en/qsip/7.3.3?topic=api-filter-syntax

API Access guide : https://www.ibm.com/docs/en/qradar-on-cloud?topic=api-accessing-interactive-documentation-page 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!