QRadar - Get offense correlations v2

Run on a QRadar offense to get more information:

  • Get all correlations relevant to the offense
  • Get all logs relevant to the correlations (not done by default - set "GetCorrelationLogs" to "True")

Inputs:

  • GetCorrelationLogs (default: False)
  • MaxLogsCount (default: 20)

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

  • QRadarCorrelationLog
  • QRadarFullSearch

Integrations

This playbook does not use any integrations.

Scripts

  • ChangeContext
  • Set

Commands

This playbook does not use any commands.

Playbook Inputs


NameDescriptionDefault ValueRequired
GetCorrelationLogsWhen set to "True", retrieves all of the offense's correlations logsTrueOptional
MaxLogsCountMaximum number of log entires to query from QRadar (default: 20)20Optional
IDThe QRadar offense IDincident.labels.idRequired
StartTimeThe QRadar offense start timeincident.labels.start_timeRequired
GetOnlyCREEventsIf value "OnlyCRE" get only events made by CRE.
Values can be "OnlyCRE", "OnlyNotCRE", "All".AllOptional
MaxCorrelationCountMaximum number of correlations to query from QRadar (default: 100)100Optional
FieldsA comma-separated list of extra fields to get from each event.Optional

Playbook Outputs


PathDescriptionType
QRadar.Correlation.StartTimeThe correlation start timeunknown
QRadar.Correlation.CategoryIDThe correlation category idunknown
QRadar.Correlation.QIDThe correlation QID identifierunknown
QRadar.Correlation.CRENameThe correlation nameunknown
QRadar.Correlation.CREDescriptionThe correlation descriptionunknown
QRadar.CorrelationThe QRadar offense correlationsunknown
QRadar.Correlation.SourceIPThe correlation source IPunknown
QRadarQRadar context outputunknown
QRadar.Correlation.DestinationIPThe correlation destination IPunknown
QRadar.Correlation.CategoryThe correlation high level categoryunknown
QRadar.Correlation.UsernameThe correlation usernameunknown
QRadar.LogThe QRadar offense correlation logsunknown
QRadar.Log.QIDThe log's correlation IDunknown
QRadar.Log.SourceIPThe log's source IPunknown
QRadar.Log.DestinationPortThe log's destination portunknown
QRadar.Log.SourcePortThe log's source portunknown
QRadar.Log.DestinationIPThe log's destination IPunknown
QRadar.Log.CategoryThe log's categoryunknown
QRadar.Log.IdentityIPThe log's identity IPunknown
QRadar.Log.UsernameThe log's usernameunknown
QRadar.Log.StartTimeThe log's start timeunknown
QRadar.Log.MagnitudeThe log's magnitudeunknown
QRadar.Log.ProtocolNameThe log's protocol nameunknown