Passing Offense ID to custom action script


we have a bunch of custom event rules which are supposed to open a ticket in our incident response software upon offense creation. My first thought was: Let’s write a custom action script, which informs the IR software about the new Offense ID, which in turn pulls all relevant details via the QRadar API.
Unfortunately the Offense ID doesn’t seem to be a Network Event Property which can be passed to a custom action script.

Do you have any idea how to solve this?



Leave a Reply