I am integrating QRadar with ServiceNow and want to import a specific custom event field "Alert Severity(Custom)" into ServiceNow as part of the offense event data.
Goal: I want to identify the backend key name, like how will it appear in IBM QRadar Payload so that I can map this field. (like what it appers in the payload e.g.'alertSeverityCustom' : High) I need to be able to fetch this field into ServiceNow Offence ingestion
Challenge: I don't know the exact backend key name of this field in QRadar
What I have tried:
>Using API, Queried Events in offense using UTF8(payload) to see the raw payload and searched the output for possible field names.
>Using API, tried to use select * from events WHERE InOffense(xxx) last 2 DAYS - this only returns default columns, not all possible fields
>Used combinations of this field to try mapping/pulling in Servicenow like Alert_Severity_Custom, alertSeverityCustom, etc
>Raised a ServiceNow case, As per them this field is custom and whatever fields are available for mapping will appear in Integration but its not and also they were the ones who suggested to use API to see the available fields
Questions:
1> How do I find the backend key name for a field that appears in QRadar's UI but is not obvious in query results?
2> If the field doesn't exist in the payload, how can i confirm this and make it available for mapping?