Question & Answer
Question
This article provides general information as to how to customize the IBM Resilient QRadar application template.
Answer
Can I send all the fields in the offense and link them to IBM Resilient fields?
Currently, not all offense fields can be escalated to an incident. The mapping is limited to those fields that are supported by the integration application.
The following offense fields are supported in a template as of June 2020 and v3.5 of the application:
| Field | Type | Use |
| assigned_to | String | The user the offense is assigned to |
| categories | Array of strings | Event categories that are associated with the offense |
| category_count | Number | The number of event categories that are associated with the offense |
| close_time | Number | The number of milliseconds since epoch when the offense was closed |
| closing_reason | String | Text description of closing reason. Translated from closing_reason_id |
| closing_reason_id | Number | The ID of the offense closing reason. The reason the offense was closed |
| closing_user | String | The user that closed the offense |
| credibility | Number | The credibility of the offense |
| description | String | The description of the offense. Filtering is not supported on this field |
| destination_networks | Array of strings | The destination networks that are associated with the offense |
| device_count | Number | The number of devices that are associated with the offense |
| domain_id | Number | Optional. ID of associated domain if the offense is associated with a single domain |
| domain_name | String | Name of domain. Translated from domain_id |
| event_count | Number | The number of events that are associated with the offense |
| flow_count | Number | The number of flows that are associated with the offense |
| follow_up | Boolean | True if the offense is marked for follow-up |
| id | Number | The ID of the offense |
| inactive | Boolean | True if the offense is inactive |
| last_updated_time | Number | The number of milliseconds since epoch when the offense was last updated |
| local_destination_address_ids | Array of numbers | The local destination address IDs that are associated with the offense |
| local_destination_addresses | Array of Strings | List of local destination addresses. Translated from local_destination_address_ids |
| local_destination_count | Number | The number of local destinations that are associated with the offense |
| magnitude | Number | The magnitude of the offense |
| offense_source | String | The source of the offense. Filtering is not supported on this field |
| offense_type | Number | A number that represents the offense type. See the Offense Type Codes table for the code to offense type mapping |
| offense_type_name | String | Text description of offense type. Translated from offense_type |
| policy_category_count | Number | The number of policy event categories that are associated with the offense |
| protected | Boolean | True if the offense is protected |
| relevance | Number | The relevance of the offense |
| remote_destination_count | Number | The number of remote destinations that are associated with the offense |
| security_category_count | Number | The number of security event categories that are associated with the offense |
| severity | Number | The severity of the offense |
| source_address_ids | Array of numbers | The source address IDs that are associated with the offense |
| source_addresses | Array of Strings | List of source IP addresses. Translated from source_address_ids |
| source_count | Number | The number of sources that are associated with the offense |
| source_network | String | The source network that is associated with the offense. Filtering is not supported on this field |
| start_time | Number | The number of milliseconds since epoch when the offense was started |
| status | String | The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED". The following operators are not supported when you filter on this field: "<", ">", "<=", ">=", "BETWEEN" |
| username_count | Number | The number of usernames that are associated with the offense |
Can I send more fields from the Log Source itself?
By default, the integration application adds artifacts to IBM Resilient incident based on offense source and offense type.
The remote destination IP address is not supported, only local destination IP address is retrieved from the application.
You can see the default template contains the following script:
{%- endmacro %}{
"artifacts": [
{%- if offense.offense_type in (0, 10) -%}
{{ artifact("IP Address", offense.offense_source, description, properties=[{"name": "source", "value": "true"}]) }}
{% elif offense.offense_type in (1, 11) %}
{{ artifact("IP Address", offense.offense_source, description, properties=[{"name": "destination", "value": "true"}]) }}
{% elif offense.offense_type == 3 %}
{{ artifact("User Account", offense.offense_source, description) }}
{% elif offense.offense_type == 4 %}
{{ artifact("MAC Address", offense.offense_source, description, properties=[{"name": "source", "value": "true"}]) }}
{% elif offense.offense_type == 5 %}
{{ artifact("MAC Address", offense.offense_source, description, properties=[{"name": "destination", "value": "true"}]) }}
{% elif offense.offense_type == 7 %}
{{ artifact("System Name", offense.offense_source, description) }}
{% elif offense.offense_type == 8 %}
{{ artifact("Port", offense.offense_source, description, properties=[{"name": "source", "value": "true"}]) }}
{% elif offense.offense_type == 9 %}
{{ artifact("Port", offense.offense_source, description, properties=[{"name": "destination", "value": "true"}]) }}
{% else %}
{{ artifact("String", offense.offense_source, description) }}
{%- endif -%}
How can I verify the offense fields exist so they can be mapped?
See How to use the QRadar REST API with the IBM Resilient application, which has information on how to access offense data. After the JSON returns, look at the response entry for "local_destination_address_ids." This verifies whether there are any LOCAL destination IP addresses.
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z0000001gyGAAQ","label":"Integrations-\u003EQRadar app"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
18 November 2022
UID
ibm16220358