Skip to main content

Workflow Template: Fetch New QRadar Offenses with Pagination

A nested workflow to pull all new open QRadar offenses and use pagination to return all results.

Updated over a week ago

The "Fetch New QRadar Offenses with Pagination" workflow template is designed for threat hunting by automating the retrieval of open offenses from IBM QRadar. It runs on a schedule, checking for offenses within a specified time frame, and uses pagination to efficiently gather results. If offenses are found, they are returned; otherwise, an empty array is provided. This workflow is ideal for security teams looking to streamline their incident response processes.

Take Me to the Template

Optional Triggers

["Schedule","Slack","Microsoft Teams"]

Use Cases

Threat Hunting

Workflow Breakdown

  1. Execute nested workflow on a schedule

  2. Check if the workflow start time is set in a global variable

  3. Gather open offenses in QRadar and collect any results using pagination

  4. On exit, provide the results of the offenses. If no results are found return an empty array.

Vendors

Utils, Torq, IBM QRadar

Workflow Output

On exit the results of the open offenses in QRadar.

Related Articles
Workflow Template: Collect Torq Global Variables with Pagination
Workflow Template: Create a Torq Case from a QRadar Offense
Workflow Template: Find all Okta Active Devices with Pagination
Workflow Template: Gather QRadar Events for a Given Offense
Workflow Template: Fetch Incidents from Cortex XDR on a Schedule
Did this answer your question?