IBM QRadar | Marketplace

Details
Content
Dependencies
Version History

Fetch offenses as incidents and search QRadar

QRadar aggregates and parses logs that come in from various data sources. The QRadar admin creates rules for detecting suspicious traffic, suspicious IDs, etc., and runs searches to obtain additional data about these offences.

What does this pack do?

The integration in this pack automatically fetches the offences from QRadar along with all the additional data about the offenses. The data from QRadar is populated into XSOAR incident fields providing the XSOAR analyst with all the information about the incident just by performing a fetch.

Using the commands in the integration, you can leverage what the QRadar API has to offer, such as:

Editing objects
Getting object lists
Adding notes
Basically, you can perform tasks that a user would need to do manually in the QRadar UI or would need to provide automations to do.

For more information, visit our Cortex XSOAR Developer Docs.

If you're new to our QRadar Content Pack, check out our Ingest Incidents from a SIEM Using QRadar tutorial.

What does this pack do?

Using the commands in the integration, you can leverage what the QRadar API has to offer, such as:

Editing objects
Getting object lists
Adding notes
Basically, you can perform tasks that a user would need to do manually in the QRadar UI or would need to provide automations to do.

For more information, visit our Cortex XSIAM Developer Docs.

If you're new to our QRadar Content Pack, check out our Ingest Incidents from a SIEM Using QRadar tutorial.

Automations

Name	Description
QRadarFullSearch	Deprecated. No available replacement. This Script runs a QRadar query and return its results to the war-room.
QRadarPrintEvents	This script prints the events fetched from the offense in a table format.
QRadarClassifier	Deprecated. No available replacement. This script Classifies QRadar incidents.\nThe 'QRADAR_CATEGORIES' dictionary translate QRadar 'High level Categories' to its 'Demisto Types' counterpart.\n\nFor custom categories, use the 'customCategories' argument.\nThe offense high level category will be put to context.
QRadarMagnitude	This enables to color the field according to the magnitude. The scale is 1-3 green 4-7 yellow 8-10 red.
QRadarCreateAQLQuery	Build QRadar AQL Query.
QRadarFetchedEventsSum	This display the amount of fetched events vs the total amount of events in the offense.
QRadarPrintAssets	This script prints the assets fetched from the offense in a table format.
QRadarGetCorrelationLogs	Deprecated. Use the QRadarCorrelationLog playbook instead. Return the QRadar Correlation logs if exist
QRadarMirroringEventsStatus	This displays the mirrored events status in the offense.
QRadarGetOffenseCorrelations	Deprecated. Use the QradarGetOffenseCorrlations_v2 Playbook instead. Return the QRadar offense correlations if exist in logs.

Classifiers

Name	Description
QRadar - Classifier	Classifies QRadar events.
QRadar - Incoming Mapper	Maps QRadar event fields.
QRadar - Generic Incoming Mapper	Default Mapping for Qradar Offenses, Events, and Assets.

Incident Fields

Name	Description
Severity - Offense	The severity of the offense.
Status - Offense	The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
Username Count - Offense	The number of usernames that are associated with the offense.
Relevance - Offense	The relevance of the offense.
Destination IP - Offense	The destination addresses associated with the offense.
Domain - Offense	ID of associated domain if the offense is associated with a single domain.
Source IP - Offense	The source addresses associated with the offense.
Source Network - Offense	The source network related to the offense.
List of Rules - Offense	The list of rules associated with the offense.
Description - Offense	The description of the offense.
Link To Offense	The link to the QRadar offense.
Destination Network - Offense	The destination network related to the offense.
ID - Offense	The ID of the offense.
Offense Inactive	True if the offense is inactive.
Number Of Fetched Events	The number of events fetched with the offense.
Type - Offense	The type of the offense.
Magnitude - Offense	The magnitude of the offense.
Credibility - Offense	The credibility of the offense.
Number Of Events In Offense	The number of events that are associated with the offense.
Number Of Flows	Offense Number Of Flows.
Low Level Categories - Offense	Event categories that are associated with the offense.

Incident Types

Name	Description
Qradar Generic

Integrations

Name	Description
IBM QRadar v3	IBM QRadar SIEM helps security teams accurately detect and prioritize threats across the enterprise, supports API versions 10.1 and above. Provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents.
IBM QRadar v2 (Deprecated)	Deprecated. Use the IBM QRadar v3 integration instead. Fetch offenses from QRadar using Cortex XSOAR. Supports API versions until 10.0. You can fetch the offenses with their related events and assets by creating a comma-separated list of event fields.
IBM QRadar (Deprecated)	Deprecated. Use IBM QRadar v2 or IBM QRadar v3 instead.

Layouts

Name	Description
Qradar Generic

Playbooks

Name	Description
QRadar - Get offense correlations v2	Deprecated. Use the "QRadar - Get Offense Logs" playbook instead. Run on a QRadar offense to get more information: Get all correlations relevant to the offense Get all logs relevant to the correlations (not done by default - set "GetCorrelationLogs" to "True") Inputs: GetCorrelationLogs (default: False) MaxLogsCount (default: 20)
Access Investigation - QRadar	Deprecated. No available replacement. This playbook uses the QRadar integration to investigate an access incident by gathering user and IP information. The playbook then interacts with the user that triggered the incident to confirm whether or not they initiated the access action.
QRadar - Get Offense Logs	Works for QRadar integration version 3, v1 and v2 are deprecated. Note: You can use the integration to fetch the events with the offense however it will fetch the events according to the specified limit defined in the instance settings. By using this playbook you can define an additional search to query a larger number of logs. Default playbook inputs use the QRadar incident fields such as idoffense, starttime. These fields can be replaced but need to point to relevant offense ID and starttime fields.
TIM - QRadar Add Bad Hash Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
QRadar Indicator Hunting V2	The Playbook queries QRadar SIEM for indicators such as file hashes, IP addresses, domains, or urls.
QRadar Build Query and Search	The QRadar Build Query and Search playbook creates an AQL query for the QRadar SIEM using the QRadarCreateAQLQuery automation queries. Complex queries take into consideration several inputs and allow including or excluding each of the values as well as performing a full or partial search. Each of the values can be searched across several fields. The playbook supports 3 separate conditions to be evaluated. For example, in the first condition, inputs will evaluate several user names that may or may not exist in several fields. The second input, can for example, evaluate for IP addresses in several fields that may or may not exist in several fields, and a third value can search for an event ID that may or may not exist in several fields. The results of all of the inputs will create an AQL query that covers all of the inputs combining all of the different conditions. Each of the inputs is validated so in case the inputs are not set correctly, the user can review and run them again. Also, populated inputs will be combined, meaning by populating the first and second values the resulting AQL query will be a combination of all of the values and not 3 separate searches. In addition, make sure to populate the inputs in order according to the indexed fields in QRadar (indexed fields should be provided before non indexed ones).
QRadar Get Hunting Results	This playbook is used to sort the QRadar search results to display the IP addresses, assets, and usernames that the search provided. In addition, the results allow you to differentiate between internal and external IP addresses as well as query the QRadar assets API in order to get the assets details from the IP addresses. You can provide the QRadar fields names and the organizations' IP ranges in order to properly sort the data. The end result of the playbook will be the internal and external IP addresses detected as well as the assets and users.
QRadarCorrelationLog	Deprecated. Use the "QRadar - Get Offense Logs"\ \ playbook instead. This playbook retrieves the correlation logs of multiple QIDs.
TIM - QRadar Add Domain Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
TIM - QRadar Add Url Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
TIM - QRadar Add IP Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
QRadar Indicator Hunting	Deprecated. Use the "QRadar Indicator Hunting V2" playbook instead.
QRadarFullSearch	Deprecated.Use the following command instead `qradar-search-retrieve-results`. This playbook runs a QRadar query and return its results to the context.
QRadar Generic	The QRadar Generic playbook is executed for the QRadar Generic incident type. It performs all the common parts of the investigation, including notifying the SOC, enriching data for indicators and users, calculating severity, assigning incidents, and notifying the SIEM admin about false positives.

Automations

Name	Description
QRadarMagnitude	This enables to color the field according to the magnitude. The scale is 1-3 green 4-7 yellow 8-10 red.
QRadarGetOffenseCorrelations	Deprecated. Use the QradarGetOffenseCorrlations_v2 Playbook instead. Return the QRadar offense correlations if exist in logs.
QRadarPrintEvents	This script prints the events fetched from the offense in a table format.
QRadarFullSearch	Deprecated. No available replacement. This Script runs a QRadar query and return its results to the war-room.
QRadarGetCorrelationLogs	Deprecated. Use the QRadarCorrelationLog playbook instead. Return the QRadar Correlation logs if exist
QRadarPrintAssets	This script prints the assets fetched from the offense in a table format.
QRadarMirroringEventsStatus	This displays the mirrored events status in the offense.
QRadarCreateAQLQuery	Build QRadar AQL Query.
QRadarFetchedEventsSum	This display the amount of fetched events vs the total amount of events in the offense.

Classifiers

Name	Description
QRadar - Classifier	Classifies QRadar events.
QRadar - Incoming Mapper	Maps QRadar event fields.
QRadar - Generic Incoming Mapper	Default Mapping for Qradar Offenses, Events, and Assets.

Incident Fields

Name	Description
Low Level Categories - Offense	Event categories that are associated with the offense.
Status - Offense	The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
Link To Offense	The link to the QRadar offense.
Offense Inactive	True if the offense is inactive.
Number Of Fetched Events	The number of events fetched with the offense.
Severity - Offense	The severity of the offense.
ID - Offense	The ID of the offense.
List of Rules - Offense	The list of rules associated with the offense.
Number Of Flows	Offense Number Of Flows.
Number Of Events In Offense	The number of events that are associated with the offense.
Credibility - Offense	The credibility of the offense.
Username Count - Offense	The number of usernames that are associated with the offense.
Description - Offense	The description of the offense.
Magnitude - Offense	The magnitude of the offense.
Relevance - Offense	The relevance of the offense.

Incident Types

Name	Description
Qradar Generic

Integrations

Name	Description
IBM QRadar v3	IBM QRadar SIEM helps security teams accurately detect and prioritize threats across the enterprise, supports API versions 10.1 and above. Provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents.
IBM QRadar (Deprecated)	Deprecated. Use IBM QRadar v2 or IBM QRadar v3 instead.
IBM QRadar v2 (Deprecated)	Deprecated. Use the IBM QRadar v3 integration instead. Fetch offenses from QRadar using Cortex XSIAM. Supports API versions until 10.0. You can fetch the offenses with their related events and assets by creating a comma-separated list of event fields.

Playbooks

Name	Description
QRadar - Get offense correlations v2	Deprecated. Use the "QRadar - Get Offense Logs" playbook instead. Run on a QRadar offense to get more information: Get all correlations relevant to the offense Get all logs relevant to the correlations (not done by default - set "GetCorrelationLogs" to "True") Inputs: GetCorrelationLogs (default: False) MaxLogsCount (default: 20)
Access Investigation - QRadar	Deprecated. No available replacement. This playbook uses the QRadar integration to investigate an access alert by gathering user and IP information. The playbook then interacts with the user that triggered the alert to confirm whether or not they initiated the access action.
TIM - QRadar Add Domain Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
QRadarCorrelationLog	Deprecated. Use the "QRadar - Get Offense Logs"\ \ playbook instead. This playbook retrieves the correlation logs of multiple QIDs.
QRadar Generic	The QRadar Generic playbook is executed for the QRadar Generic alert type. It performs all the common parts of the investigation, including notifying the SOC, enriching data for indicators and users, calculating severity, assigning alerts, and notifying the SIEM admin about false positives.
TIM - QRadar Add Url Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
TIM - QRadar Add Bad Hash Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.
QRadar Get Hunting Results	This playbook is used to sort the QRadar search results to display the IP addresses, assets, and usernames that the search provided. In addition, the results allow you to differentiate between internal and external IP addresses as well as query the QRadar assets API in order to get the assets details from the IP addresses. You can provide the QRadar fields names and the organizations' IP ranges in order to properly sort the data. The end result of the playbook will be the internal and external IP addresses detected as well as the assets and users.
QRadarFullSearch	Deprecated.Use the following command instead `qradar-search-retrieve-results`. This playbook runs a QRadar query and return its results to the context.
QRadar Indicator Hunting	Deprecated. Use the "QRadar Indicator Hunting V2" playbook instead.
QRadar Indicator Hunting V2	The Playbook queries QRadar SIEM for indicators such as file hashes, IP addresses, domains, or urls.
QRadar - Get Offense Logs	Works for QRadar integration version 3, v1 and v2 are deprecated. Note: You can use the integration to fetch the events with the offense however it will fetch the events according to the specified limit defined in the instance settings. By using this playbook you can define an additional search to query a larger number of logs. Default playbook inputs use the QRadar alert fields such as idoffense, starttime. These fields can be replaced but need to point to relevant offense ID and starttime fields.
QRadar Build Query and Search	The QRadar Build Query and Search playbook creates an AQL query for the QRadar SIEM using the QRadarCreateAQLQuery automation queries. Complex queries take into consideration several inputs and allow including or excluding each of the values as well as performing a full or partial search. Each of the values can be searched across several fields. The playbook supports 3 separate conditions to be evaluated. For example, in the first condition, inputs will evaluate several user names that may or may not exist in several fields. The second input, can for example, evaluate for IP addresses in several fields that may or may not exist in several fields, and a third value can search for an event ID that may or may not exist in several fields. The results of all of the inputs will create an AQL query that covers all of the inputs combining all of the different conditions. Each of the inputs is validated so in case the inputs are not set correctly, the user can review and run them again. Also, populated inputs will be combined, meaning by populating the first and second values the resulting AQL query will be a combination of all of the values and not 3 separate searches. In addition, make sure to populate the inputs in order according to the indexed fields in QRadar (indexed fields should be provided before non indexed ones).
TIM - QRadar Add IP Indicators	This playbook queries indicators based on a pre-defined query or results from a parent playbook, and adds the resulting indicators to a QRadar Reference Set. The Reference Set name must be defined in the playbook inputs.

Required Content Packs (5)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (2)

Pack Name	Pack By
Access Investigation	By: Cortex XSOAR
Asset	By: Cortex XSOAR

All level dependencies (7)

Pack Name	Pack By
Base	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Common Types	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

2.5.8 - 1647729 (November 14, 2024)

Integrations

IBM QRadar v3

Updated the Docker image to: demisto/python3:3.11.10.115186.

Scripts

QRadarMirroringEventsStatus

Updated the Docker image to: demisto/python3:3.11.10.115186.

QRadarCreateAQLQuery

Updated the Docker image to: demisto/python3:3.11.10.115186.

Related pull requests:
- 37147
- 37137
- 37136
- 37140
- 37138
- 37139

Download

2.5.7 - R1644440 (November 13, 2024)

Integrations

IBM QRadar v3

Updated the Docker image to: demisto/python3:3.11.10.113941.

Scripts

QRadarMirroringEventsStatus

Updated the Docker image to: demisto/python3:3.11.10.113941.

QRadarMagnitude

Updated the Docker image to: demisto/python3:3.11.10.113941.

QRadarPrintEvents

Updated the Docker image to: demisto/python3:3.11.10.113941.

QRadarCreateAQLQuery

Updated the Docker image to: demisto/python3:3.11.10.113941.

QRadarPrintAssets

Updated the Docker image to: demisto/python3:3.11.10.113941.

QRadarFetchedEventsSum

Updated the Docker image to: demisto/python3:3.11.10.113941.

Related pull requests:
- 37006
- 36995
- 36994
- 36998
- 36993
- 36992
- 36997

Download

2.5.6 - 1565697 (October 30, 2024)

Playbooks

QRadar Generic

Fixed an issue where the username involved in the QRadar offense was not enriched.

Related pull requests:
- 36884

Download

2.5.5 - 1452832 (September 30, 2024)

Integrations

IBM QRadar v3

Added the quiet_mode argument to the qradar-indicators-upload command to avoid large outputs

Related pull requests:
- 36552

Download

2.5.4 - 1345259 (September 4, 2024)

Integrations

IBM QRadar v3

Added the quiet_mode argument to the qradar-reference-set-value-upsert command.
Updated the docker image to: demisto/python3:3.11.9.107902.

Related pull requests:
- 36133

Download

2.5.3 - 1300648 (August 22, 2024)

Integrations

IBM QRadar v3

Fixed an issue with Maximum number of assets to fetch configuration.

Related pull requests:
- 35979

Download

2.5.2 - 1226445 (July 30, 2024)

Playbooks

QRadar Generic

Added conditions to the task "Run additional searches?" to avoid playbook errors.

Related pull requests:
- 35616

Download

2.5.1 - 1147658 (July 4, 2024)

Layouts

Qradar Generic
Improved layout QRadar offense tab to use External Start Time instead of start_time and External Last Updated Time instead of Last Update Time.

Mappers

QRadar - Generic Incoming Mapper

Added a mapping for incident fields: External Last Updated Time and External Start Time.

Related pull requests:
- 35222

Download

2.5.0 - 1084629 (June 10, 2024)

Integrations

IBM QRadar v3

Added support for API Execution Metric reporting for QRadar commands, excluding long-running commands such as fetch incidents.

Related pull requests:
- 34485

Download

2.4.59 - 1074409 (June 6, 2024)

Integrations

IBM QRadar v3

Added the following new commands:
- qradar-search-delete
- qradar-search-cancel
Improved implementation of the fetch mechanism to cancel unnecessary search query.
Updated the qradar-search-retrieve-events command to automatically cancel the search query when reaching the polling timeout.
Updated the Docker image to: demisto/python3:3.10.14.96411.

Related pull requests:
- 34443

Download

2.4.58 - R1051712 (May 28, 2024)

Integrations

IBM QRadar v3

Fixed an issue where the Events Mirroring Status was not displayed correctly when event mirroring reached the events limit.

Related pull requests:
- 34079

Download

2.4.57 - 962639 (April 17, 2024)

Integrations

IBM QRadar v3

Command qradar-get-note is deprecated. Use qradar-offense-notes-list instead.
Command qradar-create-note is deprecated. Use qradar-offense-note-create instead.
Command qradar-get-asset-by-id is deprecated. Use qradar-assets-list instead.
Command qradar-offenses is deprecated. Use qradar-offenses-list instead.
Command qradar-update-reference-set-value is deprecated. Use qradar-reference-set-value-upsert instead.
Command qradar-create-reference-set is deprecated. Use qradar-reference-set-create instead.
Command qradar-get-domains is deprecated. Use qradar-domains-list instead.
Command qradar-offense-by-id is deprecated. Use qradar-offenses-list instead.
Command qradar-searches is deprecated. Use qradar-search-create instead.
Command qradar-delete-reference-set is deprecated. Use qradar-reference-set-delete instead.
Command qradar-get-search is deprecated. Use qradar-search-status-get instead.
Command qradar-create-reference-set-value is deprecated. Use qradar-reference-set-value-upsert instead.
Command qradar-get-closing-reasons is deprecated. Use qradar-closing-reasons instead.
Command qradar-get-assets is deprecated. Use qradar-assets-list instead.
Command qradar-get-domain-by-id is deprecated. Use qradar-domains-list instead.
Command qradar-update-offense is deprecated. Use qradar-offense-update instead.
Command qradar-delete-reference-set-value is deprecated. Use qradar-reference-set-value-delete instead.
Command qradar-get-search-results is deprecated. Use qradar-search-results-get instead.
Command qradar-get-reference-by-name is deprecated. Use qradar-reference-sets-list instead.
Updated the Docker image to: demisto/python3:3.10.14.92207.

Related pull requests:
- 33910

Download

2.4.56 - 961102 (April 16, 2024)

Integrations

IBM QRadar v3

Added an argument timeout_in_second in qradar-search-retrieve-events command to increase the default polling timeout.

Related pull requests:
- 33936

Download

2.4.55 - 945534 (April 9, 2024)

Integrations

IBM QRadar v3

Fixed an issue when qradar-reference-set-value-delete command did not perform double encoding for the value argument.

Related pull requests:
- 33732

Download

2.4.54 - 917306 (March 27, 2024)

Integrations

IBM QRadar v3

Fixed an issue where fetch-incidents stop working when monitor.long.running.enabled configuration is disable.

Related pull requests:
- 33542

Download

2.4.53 - 916317 (March 26, 2024)

Integrations

IBM QRadar v3

Added the following log source management commands:
- qradar-event-collectors-list
- qradar-wincollect-destinations-list
- qradar-disconnected-log-collectors-list
- qradar-log-source-types-list
- qradar-log-source-protocol-types-list
- qradar-log-source-extensions-list
- qradar-log-source-languages-list
- qradar-log-source-groups-list
- qradar-log-source-delete
- qradar-log-source-create
- qradar-log-source-update
Added support for getting a single log source using the id argument in the qradar-log-sources-list command.

Related pull requests:
- 33542
- 33239

Download

2.4.52 - 904622 (March 20, 2024)

Scripts

QRadarPrintAssets

Updated the Docker image to: demisto/python3:3.10.13.89009.

QRadarFetchedEventsSum

Updated the Docker image to: demisto/python3:3.10.13.89009.

QRadarMagnitude

Updated the Docker image to: demisto/python3:3.10.13.89009.

QRadarPrintEvents

Updated the Docker image to: demisto/python3:3.10.13.89009.

Related pull requests:
- 33391
- 33314
- 33318
- 33328
- 33357
- 33344
- 33359
- 33348

Download

2.4.51 - 897231 (March 18, 2024)

Playbooks

QRadar Indicator Hunting V2

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

QRadar Get Hunting Results

Updated the input 'InternalRange' to use the 'PrivateIPs' list.

Related pull requests:
- 33201

Download

2.4.50 - R851225 (February 25, 2024)

Integrations

IBM QRadar v3

Fixed an issue in qradar-reference-sets-list when using the ref_name argument with filter or range arguments didn't effect on the results as expected.
Updated the Docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 32779

Download

2.4.49 - 832237 (February 16, 2024)

Integrations

IBM QRadar v3

Added a recovery mechanism in fetch-incidents in cases where the long running container crashes when creating incidents.
Added a parameter of assets_limit to the integration configuration to limit the incident size. The default is 100.

Related pull requests:
- 32502

Download

2.4.48 - 828628 (February 14, 2024)

Integrations

IBM QRadar (Deprecated)

Documentation and metadata improvements.

Related pull requests:
- 32855

Download

2.4.47 - R771322 (January 18, 2024)

Integrations

IBM QRadar v3

Added a clarification in the help section that in order to fetch offenses and events, the Long running instance parameter must be set to true.

Related pull requests:
- 31689

Download

2.4.46 - R7205435 (December 19, 2023)

Playbooks

QRadar Build Query and Search

Updated the deprecated sub-playbook 'QradarFullSearch' to the command 'qradar-search-retrieve-events'.

QRadar - Get Offense Logs

Updated the deprecated sub-playbook 'QradarFullSearch' to the command 'qradar-search-retrieve-events'.

QRadarFullSearch

Deprecated. Use the following command instead - 'qradar-search-retrieve-events'.

Related pull requests:
- 31328

Download

2.4.45 - 7132024 (December 11, 2023)

Integrations

IBM QRadar v3

Added the Timeout for http-requests integration parameter to avoid read timeouts from Qradar api (seconds).
Added the Fetch Incidents Interval integration parameter to configure the fetch-incidents interval (seconds).
Fixed an issue where the test of the integration reached into timeouts.
Added support to recover from connection errors in all Qradar commands.
Updated the default value of the Number of offenses to pull per API call integration parameter to 10.
Updated the Docker image to: demisto/python3:3.10.13.83255.

Related pull requests:
- 31339

Download

2.4.44 - 7098642 (December 7, 2023)

Mappers

QRadar - Generic Incoming Mapper

Updated the mapper to use Last Mirrored Time Stamp incident field instead of LastMirroredInTime incident field.

Scripts

QRadarMirroringEventsStatus

Updated the script to use Last Mirrored Time Stamp incident field instead of LastMirroredInTime incident field.
Updated the Docker image to: demisto/python3:3.10.13.82467.

Related pull requests:
- 31281

Download

2.4.43 - 7076512 (December 5, 2023)

Integrations

IBM QRadar v3

Fixed an issue where the qradar-reference-set-value-upsert and qradar_indicators_upload_command commands failed because of connection issues to Qradar.
Updated the Docker image to: demisto/python3:3.10.13.82076.

Related pull requests:
- 31246

Download

2.4.42 - 7061914 (December 4, 2023)

Integrations

IBM QRadar v3

Fixed an issue in qradar-search-retrieve-events to continue to poll in case of temporarily networking issues to QRadar.

Related pull requests:
- 31084

Download

2.4.41 - 6932727 (November 19, 2023)

Integrations

IBM QRadar v3

Added support for Close Notes in XSOAR when closing offense in QRadar.

Related pull requests:
- 30369

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	July 26, 2020
Last Release	November 14, 2024

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.