Set Priority based on Custom field "Magnitude" value
Issue #786
resolved
Hi @fcarmario,
We are planning to use QRadar (SIEM tool) provided “Magnitude” value as our Severity ranking value which will drive SLA timeframes. The value is a 0-10 score assigned by QRadar based on three input values. We will need to ensure that value is captured in the Jira ticket that presents to the Monitoring team, and ideally it would already be mapped to the appropriate SLA criticality (0-5 low, 6-7 medium, 8-9 high, 9-10 critical). Can you help us identify what that would take to achieve? For eg: if the Magnitude field hold value of 8, then the Jira ticket must be created with priority of Medium (0-5 low, 6-7 medium, 8-9 high, 9-10 critical) Please help!!
Thanks Nikhil
Comments (8)
-
repo owner
-
reporter
Hi,
Here is the sample description that SIEM tools sends where Magnitude is Magnitude: 6. Since, Magnitude value is 6, the priority of the issue must be set as Medium 6-7 medium. But our default priority is Medium so I think we need to just configure for Magnitude values of 0-5 low,8-9 high, 9-10 critical.
The following is an automated response sent to you by the QRadar offense custom rules engine. Offense CRE Rule #114743, "SourceFire to Deloitte" fired Rule Notes:
Offense #28402 Start Time: Mon Sep 11 20:03:31 CDT 2017
Magnitude: 6, Relevance 5, Severity: 10, Credibility 3
Nikhil
-
repo owner
Hi @nikhil_dsv,
You can extract the magnitude value using "Parse field for extracting data" post-function, and store the value into Ephemeral number 1. To do it you should use the following configuration:
Leading delimiter is: "Magnitude: ". Note the trailing blank space.
Then you can use post-function "Set a field as a function of other fields" to set issue priority according to the magnitude value in Ephemeral number 1.
Setting rules are:
[{00058} >= 0 AND {00058} <= 5]Low [{00058} >= 6 AND {00058} <= 8]High [{00058} >= 9 AND {00058} <= 10]Criticalwhere
{00058}is field code for Ephemeral number 1.Once configured, your transition configuration will look like this:
-
reporter
Hi,
I have used the below logic and seems working. Please correct me if it is wrong:
The field Priority will be set according to the evaluation of Description against the following set of rules: i(.Magnitude: 10.)Critical i(.(Magnitude: 9|Magnitude: 8).)High i(.(Magnitude: 0|Magnitude: 1|Magnitude: 2|Magnitude: 3|Magnitude: 4|Magnitude: 5).)Low This feature will be run as user in field Current user.
What is the difference between these 2 logics?
Nikhil
-
repo owner
Your proposal is simpler and also valid. You can use it without problems.
-
reporter
- changed status to resolved
Thank you so much Fidel. Resolving this ticket and will re-open only if required
-
reporter
- changed status to open
Hi Fidel,
Can I have both of these below post-functions enabled for the same workflow?
1) The field Description will be set according to the evaluation of Summary against the following set of rules: i(.Magnitude: 10.)Critical i(.(Magnitude: 9|Magnitude: 8).)High i(.(Magnitude: 0|Magnitude: 1|Magnitude: 2|Magnitude: 3|Magnitude: 4|Magnitude: 5).)Low This feature will be run as user in field Current user. by JWT
2) The field Priority will be set according to the evaluation of Summary against the following set of rules: i(.:Critical:.)Critical i(.:High:.)High i(.:Medium:.)Medium i(.:Low:.)Low This feature will be run as user in field Current user.
I need both of them or may be I may add couple of more for the same Incident issuetype workflow. So, is it possible to have OR condition type between these post-functions?
Nikhil
-
reporter
- changed status to resolved
Sorry, my mistake. I have made a small mistake while configuring.
- Log in to comment
Please, attach an example of issue created by SIEM. I need that information in order to design a method for extracting the Magnitude and use it for setting issue Priority.