Skip to main content

QRadar - Get offense correlations

This Playbook is part of the Deprecated Content (Deprecated) Pack.#

Deprecated

Use the QRadar - Get offense correlations v2 instead.

Deprecated. Use the QRadar - Get offense correlations v2 instead. Run on a QRadar offense to get more information

  • Get all correlations relevant to the offense\n Get all logs relevant to the correlations (not done by default, set "GetCorrelationLogs\" to \"True\")\n\nInputs-\n GetCorrelationLogs (default - False)\n* MaxLogsCount (default - 20)

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

This playbook does not use any sub-playbooks.

Integrations#

This playbook does not use any integrations.

Scripts#

  • QRadarGetCorrelationLogs
  • QRadarGetOffenseCorrelations

Commands#

This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
GetCorrelationLogsIf "True" will get all of the offense's correlations logsFalseOptional
MaxLogsCountMaximum number of log entires to query from QRadar (default: 20)20Optional
IDThe QRadar offense IDincident.labels.idRequired
StartTimeThe QRadar offense start timeincident.labels.start_timeRequired

Playbook Outputs#

PathDescriptionType
QRadar.Correlation.StartTimeThe correlation start timeunknown
QRadar.Correlation.CategoryIDThe correlation category idunknown
QRadar.Correlation.QIDThe correlation QID identifierunknown
QRadar.Correlation.CRENameThe correlation nameunknown
QRadar.Correlation.CREDescriptionThe correlation descriptionunknown
QRadar.CorrelationThe QRadar offense correlationsunknown
QRadar.Correlation.SourceIPThe correlation source IPunknown
QRadarQRadar context outputunknown
QRadar.Correlation.DestinationIPThe correlation destination IPunknown
QRadar.Correlation.CategoryThe correlation high level categoryunknown
QRadar.Correlation.UsernameThe correlation usernameunknown
QRadar.LogThe QRadar offense correlation logsunknown
QRadar.Log.QIDThe log's correlation IDunknown
QRadar.Log.SourceIPThe log's source IPunknown
QRadar.Log.DestinationPortThe log's destination portunknown
QRadar.Log.SourcePortThe log's source portunknown
QRadar.Log.DestinationIPThe log's destination IPunknown
QRadar.Log.CategoryThe log's categoryunknown
QRadar.Log.IdentityIPThe log's identity IPunknown
QRadar.Log.UsernameThe log's usernameunknown
QRadar.Log.StartTimeThe log's start timeunknown
QRadar.Log.MagnitudeThe log's magnitudeunknown
QRadar.Log.ProtocolNameThe log's protocol nameunknown

Playbook Image#

QRadar_Get_offense_correlations

Edit this page
Report an Issue