Open GraemeBingham opened 4 years ago
Update: I have actually worked out how this functionality can be built into the Qrdar Synapse workflow rather than the Hive itself. It would not be perfect in the same sense because you would only be able to specify a different closure reason for Case Closure as you can make custom fields required before closure.
I will see if I can get it running and do some testing.
Hy. I install The Hive and Cortex and successfully extract Qradar offenses to Hive alerts. But I have problem sending from Hive to Qradar requests when I close case in Hive to close offense on QRadar. In Hive configuration I put this
webhooks { myLocalWebHook { url = "http://127.0.0.1:5000/webhook" } }
but when I try it, it doesn't work. Can you tell me how to send proper request to auto close offense in Qradar?
When using the Hive and the Synapse Qradar integration it would be very useful if you could specify the Qradar closure reason when closing an alert or case related to an Offense.
By default the Synapse QradarConnector.py "closeOffense" function has a default closing_reason_id=1. This could easily be extended to take an extra parameter, for example, closeReasonId which then could be dynamic. This could be achieved with some simple modifications however it would still be hardcoded unless the qradar closure reason is selectable in the Hive UI.
User stories: Alerts Closure Reason
2. Case Closure Reason
I am not sure if this is the right project to put this FR in, as this also relates to the Synapse Project however I thought because it would require UI changes it might be better to put it in here.
This is just my idea on how it would be implemented, I am sure there are better ways to do it.