Hey,
Qradar integration has an action called "Update Offense", inside this action it is mandatory to add the offense ID.
I want to insert a placeholder for this value but there is nothing related to it (nothing under Alert, case, event, etc.)
Where can I find this field \\ value?
This would be awesome if you add the offense ID at least for the events. this can help in a lot more situations.
Hey,
Sometimes that is not present at the beginning. Try this
1. Use Get Original Alert json to get the RAW Event in json format
2. Use Comment as action and use the expression builder to get the fields from previous action you can use anything from there
3. Use also under Case Explore to check for TicketId, Alert.TicketID or similar Events
4. Check unter the Alert the tab Events and look for raw data
For example if the field would be alert_offense_id than the field could be [Event.alert_offense_id] and so on
Hope this helps
Regards,
I assume this Case was originally created through a Qradar Connector?
IIRC the offense ID might be mapped to the grouping identifer. Look at Qradar, get a real ID (5 digits?) then look in SOAR for any value that looks similar, that might help find it
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.