Hi
I am trying to grab some information from QRadar automatically when a new Offense is sent to SOAR.
I get the following error message when testing (rendering the template) :
Here is the script (in the workflow) :
import datetime
DateDebutOffense = datetime.datetime.fromtimestamp(incident.discovered_date/1000-5*3600)
DateStart = " '" + DateDebutOffense.strftime("%Y-%m-%d %H:%M") + "' "
LimitNbEvents = 10
query = """SELECT QIDNAME(qid) as event_name, DATEFORMAT(starttime, 'yyyy-MM-dd hh:mm:ss') as event_time, categoryname(category) as category_name,logsourcename(logsourceid) as logsourcename, application, "Application Category", username,sourceip,destinationip, URL, "URL Path", "Action", "Bytes Sent", "Bytes Received" FROM events WHERE INOFFENSE({}) AND devicetype NOT IN(18) LIMIT """
text_query = query.format(incident.properties.qradar_id)
inputs.qradar_query = inputs.qradar_query + str(LimitNbEvents)
inputs.qradar_query = inputs.qradar_query + " START" + DateStart + " STOP PARSEDATETIME('now')"
inputs.qradar_query_type = "topevents"
Screenshot of the script :
The fields that are included in "Qradar Top Events"
I don't understand why I get this error in the SOAR pluggin :
Template render test passed!
Simulated case submission test failed! See client.log for details.
: {"success":false,"title":null,"message":"Unable to set inputs using a script for Function 'QRadar Top Events' from Playbook 'COCD-Test-Risky' because: AttributeError: Invalid field name: qradar_query","hints":[],"error_code":"generic"}
I can't find the client.log anywhere (I'm cloudbased for QRadar).
Can anyone help ? I basically want to start a QRadar search automatically when an incident is openned in SOAR.
Best regards,
PA Forand
------------------------------
Pierre-Alexandre Forand
------------------------------