QRadar SOAR 概述
与 QRadar SIEM 深度集成的安全编排自动化响应平台。
SIEM → SOAR 联动
配置 Offense 转发
路径:Admin > System Settings > Event Pipeline > Offense Forwarding
# SOAR API 创建 Case
import requests
soar_url = "https://soar/rest/orgs/1"
headers = {
"Authorization": "Basic <base64>",
"Content-Type": "application/json"
}
case_data = {
"name": "QRadar Offense #12345",
"description": "Detected C2 communication",
"severity_code": "High"
}
r = requests.post(f"{soar_url}/incidents", headers=headers, json=case_data)
case_id = r.json()["id"]Playbook 示例
[Trigger: QRadar Offense "C2 Communication"]
↓
[Extract Source IP]
↓
[Check IP Reputation (X-Force)]
↓
[Reputation Score > 7?]
↓ Yes
[Add IP to Firewall Block List]
↓
[Add Note to QRadar Offense]
↓
[Send Email to SOC]
↓
[Close Case]
上一章:06 - App 开发 下一章:08 - 升级与迁移