IBM QRadar

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Expand all | Collapse all

Access Incident Custom Fields in Scripts - Qradar SOAR

  • 1.  Access Incident Custom Fields in Scripts - Qradar SOAR

    Posted Thu July 27, 2023 02:58 PM
    Edited by Fnu Preetham Nagesh Thu July 27, 2023 02:59 PM

    Hello Team

    I'm implementing a playbook in IBM Qradar SOAR v47. To test the functionality, I have created 2 scripts in the playbook. The first one updates the incident custom field to a static value. This runs as expected. Example code below - 

    incident.splunk_imperva_informative_findings_count = "100"

    However the issue arises when I add another script that tries to get the custom value. Here, In the second script, Im trying to read the custom value which is when an error is popping up when running the playbook. Code to access the custom field value - 

    incident_field_value = incident.splunk_imperva_informative_findings_count

    Error Image - 

    Any assistance on this would be appreciated ! Please let me know if any additional information is needed from my side on this.

    Thanks
    ------------------------------
    Fnu Preetham Nagesh
    ------------------------------



  • 2.  RE: Access Incident Custom Fields in Scripts - Qradar SOAR

    Posted Fri July 28, 2023 03:20 PM
    Edited by Jonathan Pechta Fri July 28, 2023 03:20 PM

    I think you've got the wrong discussion area. You likely want to create a new discussion thread here: https://community.ibm.com/community/user/security/communities/community-home/digestviewer?communitykey=d2f71e8c-108e-4652-b59c-29d61af7163e 

    • You are here ---> QRadar SIEM / QRadar on Cloud / QRadar Log Insights discussions. 
    • You want to be here --> QRadar SOAR discussions


    Things were easier when SOAR was Resilient and QRadar had much different product names. If you need further assistance on QRadar SIEM or QRadar on Cloud, we can help, but for QRadar SOAR you'll need to recreate this thread as I don't know how to move your question between product groups unfortunately. 



    ------------------------------
    Jonathan Pechta
    QRadar Support Content Lead
    Support forums: ibm.biz/qradarforums
    jonathan.pechta1@ibm.com
    ------------------------------