Clubbed events from SIEM in FortiSOAR

MuhammadFaruqi1 · ‎05-06-2024

Hi Experts!

We are ingesting the "Offenses" from QRadar SIEM to FortiSOAR. My ingestion schedule is configured for every 15 minutes.

In QRadar, what happens, when an offense is generated, it has few events in it. As long as the offense is not closed, and same offense is triggered again, the upcoming events are clubbed under same offense.

For example: An Scan Detected Offense is triggered with 50 scanning events from a source IP. Let's say after 20 minutes of its generation, scan is run again and 20 more scanning events are generated from the same source IP and since the offense was not closed, these new 20 events will be clubbed in already generated offense. So the total event count would be 70 now after 20 minutes.

Now my question is: Lets say the Offense was ingested from QRadar and an Alert is created in SOAR with the inital 50 events in "Source Data". In next ingestion, the newly generated 20 events that were clubbed in same offense, will be updated in that Alert in FortiSOAR?

#FortiSOAR

BR,

MFaruqi

okumbhar · ‎05-07-2024

In the default data ingestion that we provide, the following query is used to fetch the events:

SELECT {{vars.event_query_params}} FROM EVENTS WHERE INOFFENSE({{vars.alertSourceData.offense_data['id']}}) ORDER BY starttime DESC LIMIT {{vars.event_record_limit}} START '{{vars.offense_start_time}}' STOP '{{vars.current_time}}'

By using this query the latest limited events are fetched (limit can be specified in data ingestion configuration) in every data ingestion and the alert is updated with these events.