IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Unable to parse information from Data Table in Resilient

  • 1.  Unable to parse information from Data Table in Resilient

    Posted Mon November 30, 2020 04:28 AM
    Hi,

    I am facing some issue while parsing information from Data Table of an Incident in Resilient.

    Consider this data table: (Note: This is dummy data)



    I intend to parse the information from above data table via Script in following manner:

    1. Event Name: ABCD
    - Method: GET
                    POST
    - Response Code: 200
    - User Agent: abcdefg
    - URL: https://qwerty.com
                https://asdfgh.com

    2. Event Name: WXYZ
    - Method: GET
                     DELETE
    - Response Code: 201
    - User Agent: jklmnop
                          pqrstuv
    - URL: https://zxcvbn.com
                https://mnbvcx.com  

    3. Event Name: JKLM
    - Method: POST
    - Response Code: 404
    - User Agent: uvwxyz
    - URL: https://lkjhgfd.com

     The data table of the incident, in reality, is getting data from QRadar via QRadar Ariel Query. Once the data gets populated in data table, I intend to execute the script (controlled by an automatic Rule) which will get the desired information in the above manner.

    I searched all the available Resilient documentation heavily, but could not find any solution.

    Can anyone please help me out in this thing ? It would be really grateful.

    Thank You !

    ------------------------------
    Akhilesh Deshmukh,
    Data Analyst, SecurityHQ
    ------------------------------


  • 2.  RE: Unable to parse information from Data Table in Resilient

    Posted Tue December 01, 2020 09:40 AM
    I don't think it is possible to get arbitrary rows from a datatable using an in product script. 

    One way to accomplish this could be to use this data table helper function: https://exchange.xforce.ibmcloud.com/hub/extension/c3b2e7a1a38f3e249c540d3b49fad459. Then after retrieving the data from the datatable as function results you can use the in product script to do what you want with the results.

    One thing that wasn't clear to me is under what conditions the script will run. You mentioned an automatic Rule. But would that be when a row is added to the data table? If so, that's fine. Not sure if you had something else in mind.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message