[New Integration] IBM QRadar #15087
Description
Description
The integration ingests "Offenses" from QRadar into Elastic Security for use with the Elastic AI Soc Engine (EASE).
Architecture
Offenses can be fetched via API, latest version appears to be v20.0. Documentation is here: https://ibmsecuritydocs.github.io/qradar_api_20.0/
Pending validation, a sample event contains the following fields:
[
{
"last_persisted_time": 42,
"username_count": 42,
"description": "String",
"rules": [
{
"id": 42,
"type": "String <one of: ADE_RULE, BUILDING_BLOCK_RULE, CRE_RULE>"
}
],
"event_count": 42,
"flow_count": 42,
"assigned_to": "String",
"security_category_count": 42,
"follow_up": true,
"source_address_ids": [
42
],
"source_count": 42,
"inactive": true,
"protected": true,
"category_count": 42,
"source_network": "String",
"destination_networks": [
"String"
],
"closing_user": "String",
"close_time": 42,
"remote_destination_count": 42,
"start_time": 42,
"last_updated_time": 42,
"credibility": 42,
"magnitude": 42,
"id": 42,
"categories": [
"String"
],
"severity": 42,
"log_sources": [
{
"type_name": "String",
"type_id": 42,
"name": "String",
"id": 42
}
],
"policy_category_count": 42,
"device_count": 42,
"closing_reason_id": 42,
"first_persisted_time": 42,
"offense_type": 42,
"relevance": 42,
"domain_id": 42,
"offense_source": "String",
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>"
}
]