FortiSOAR: Security Orchestration and Response software provides innovative case management, automation, and orchestration. It pulls together all of an organization's tools, helps unify operations, and reduce alert fatigue, context switching, and the mean time to respond to incidents.
This article describes an issue where some QRadar offenses may be missed during FortiSOAR ingestion due to changes in API query parameters. Default playbooks use the start_time parameter in filter queries, which can cause certain offenses to be excluded:
start_time: The number of milliseconds since epoch when the offense was started.
first_persisted_time: The number of milliseconds since epoch when the offense was created.
In some cases, start_time and first_persisted_time may not be the same. For a similar issue, apply the changes below in the ingestion playbook.
Scope
FortiSOAR v7.5.x, v7.6.x
Solution
Step 1: Navigate to Playbook Collection -> IBM QRadar Ingest Playbook Collection -> QRadar Fetch Playbook.
Step 2: Locate the Get Offense step and update the filter query to use first_persisted_time instead of start_time.
Default Filter:
"{{vars.filter_string}} and (start_time > '{{vars.qradar_epoch}}' or last_updated_time > '{{vars.qradar_epoch}}' )"
Updated Filter:
"{{vars.filter_string}} and (first_persisted_time > '{{vars.qradar_epoch}}' or last_updated_time > '{{vars.qradar_epoch}}' )"
