XSOAR Qradar Offense Ingestion Doubt

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XSOAR Qradar Offense Ingestion Doubt

L0 Member

Hello all,

 

 

We've a situation that we would like to clarify if it's a misconfiguration or if it is an expected behaviour.

#Qradar integration is only fetching ofenses that includes specific rule ids but qradar how it works associates new events and new rules while we do not close the offense.
This causes that for example, the rule that triggered ofense number X is not one of the identified rules to fetch ofenses in xsoar so it's not fetched to xSOAR but it can be the case that 10/20 minutes later a new alert was triggered and it's generated by a rule that is identified to be fetched to qradar.
But As the last fetched timestamp and ofense ID is higher than the time and ID of offense that was update with new events and rule IDS, it's not fetched anymore.


Is there any way to fix it?

 

Thanks in advance,

Davide Silva

1 REPLY 1

L3 Networker

Hello @DSilva8

Can you share the query you are using in XSOAR to pull in offenses from QRadar? 
I think whare you are describing is the expected behavior. Unless your query for specific rule IDs triggers new offenses in QRadar, you won't see those offenses being ingested into XSOAR. This is because they are related to other offenses that don't match your query.

  • 590 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!