This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

QRadar Integration Magnitude Query not returning expected results

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

QRadar Integration Magnitude Query not returning expected results

jboyd98
L2 Linker

‎03-30-2022 09:33 AM

Got a QRadar integration. 
It's suppose to pull back offenses with magnitude > 4

 

However, our metrics are much higher than what the client expects.

When reviewing this case got pulled into XSOAR:

jboyd98_0-1648657803907.png



However, when exporting QRadar, the incident has the following:

jboyd98_1-1648657953036.png

 

In the second column you can see magnitude has a value of 2; so in theory I don't think this should have ever created an incident within XSOAR.

Any thoughts?

Thanks!

0 Likes Likes
3 REPLIES 3

jgomes
L2 Linker

‎03-31-2022 07:43 AM

Can you kindly share the integration instance settings? namely the query used for fetch. If set correctly, XSOAR should not be returning any incidents from the API with 'magnitudes' under threshold - used to filter 'fetch'

I also suggest test query in Qradar API playground to ensure it performs as expected. If it doesn't, cross reference the search/query syntax with Qradar documentation, test again Qradar API playground, then update you integration instance in XSOAR.

Hope this helps.

0 Likes Likes

jboyd98
L2 Linker
In response to jgomes

‎03-31-2022 08:53 AM

jboyd98_0-1648741397540.png

jboyd98_1-1648741429034.png

 

Whats confusing is if look at example incident 201769, the magnitude is recorded as 5 under the incident's QRadar Offense tab.

Then if I go run the following in the playground it shows a magnitude of 2.

!qradar-offenses-list offense_id=201769 fields=magnitude
Magnitude2

Not familiar with QRadar; can a user modify the magnitude of an offense?
Only thing I can think is that we're recording the incident when it's created and then the magnitude is changing on the qradar side.
Though xsoar recorded 400+ incidents for March, and QRadar only has 13 offenses that are >4 in March.  Client says they're not changing.


0 Likes Likes

vidurasupun
L2 Linker
In response to jboyd98

‎04-03-2022 01:19 AM

Can a user modify the  magnitude of an offense?

No, This is a calculation based on the Severity, Relevance and Credibility.  

 

From the details you have given so far, there is a discrepancy between Q and XSOAR. What you can do here is to use the same query in the QR interactive API guide and find out if the returned result is the same if it is this has to be raised with QR support.

 

Query Examples  : https://www.ibm.com/docs/en/qsip/7.3.3?topic=api-filter-syntax

API Access guide : https://www.ibm.com/docs/en/qradar-on-cloud?topic=api-accessing-interactive-documentation-page 

0 Likes Likes
  • 2241 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks