[QRadar] Support multiple reference sets in one connector #2946
Labels
feature
use for describing a new feature to develop
needs triage
use to identify issue needing triage from Filigran Product team
Comments
damians-filigran
added
feature
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Use case
As an OpenCTI admin, I would like to be able to support sending multiple IOC types (eg. IPs, Domains, Hashes) to QRadar from one connector installation.
Current Workaround
As QRadar supports only one IOC type (hash, domain, IP, etc) per reference set, then to send feeds of multiple types to QRadar would require several similar connectors to be installed to support one QRadar instance fully. Currently there is one connector required per reference set, and hence one connector per iType sent. Typically, this would require 6 connectors. ie.
OpenCTI_Domain OpenCTI_IPv4 OpenCTI_MD5 OpenCTI_SHA1 OpenCTI_SHA256 OpenCTI_URL
Proposed Solution
Modify the existing connector to connect to multiple Reference Sets in QRadar, and for each IOC, identify the STIX IOC iType received, and send it to the corresponding compatible Reference Set.
Additional Information
Would you be willing to submit a PR?
We strongly encourage you to submit a PR if you want and whenever you want. If your issue concern a "Community-support" connector, your PR will probably be accepted after some review. If the connector is "Partner-support" or "Filigran-support", a dev team make take over but will base its work on your PR, speeding the process. It will be much appreciated.
The text was updated successfully, but these errors were encountered: