A custom wants to create a tickets in an external ticketing system when a Rule is triggered, the intention is to use a Custom Action Script to call REST-API of the ticketing system. How could this be done in IBM Security QRadar SIEM V7.2.7?
A.
In the Offense Rule Responses, select the "Run Custom Script" option,
B.
Call the QRadar REST-API endpoint/custom_actions/scripts/{scripts_id}
C.
Use a BASH script to run the 'curl' command to execute the required REST-API call in the ca_jail
D.
Monitor the Console's syslog file: /var/log/messages and execute a script when the event appears
Suggested Answer:C🗳️
Attach scripts to custom rules to do specific actions in response to network events. Use the Custom Action window to manage custom action scripts. Use custom actions to select or define the value that is passed to the script and the resulting action. For the security of your deployment, QRadar does not support the full range of scripting functionality that is provided by the Python, Perl, or Bash languages. Example of a BASH script with the curl command: #!/bin/bash console_ip=$1 api_token=$2 offense_source_ip=$3 auth_header="SEC:$api_token" output=$(curl -k -H $auth_header https://$console_ip/console/restapi/api/ asset_model/assets?filter=interfaces%20contains%20%28%20ip_addresses %20contains%20%28%20value%20%3D%20%22$offense_source_ip%22%29%29) # Basic print out of the output of the command echo $output References: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.8/com.ibm.qradar.doc/c_qradar_adm_customActScripts.html
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Comments