IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Add multiple items to Reference Set in QRadar from Resilient

  • 1.  Add multiple items to Reference Set in QRadar from Resilient

    Posted Thu March 25, 2021 06:38 AM

    Hi All,

    I am trying to add multiple IP's from Resilient to QRadar Reference Set. However, I am getting 422 status_code saying 'The request was well-formed but was unable to be followed due to semantic errors'.

    When I try to add a single IP, it gets add perfectly. But when I try to pass lets say, two IP's comma separated, it throws me above error. In actual scenarios, there could be multiple IPs (more than two) to be added in Reference set.

    Can anyone please advise how can we achieve adding multiple IPs to Reference Set in QRadar ??


    Thanks,



    ------------------------------
    Akhilesh Deshmukh,
    Data Analyst, SecurityHQ
    ------------------------------


  • 2.  RE: Add multiple items to Reference Set in QRadar from Resilient

    Posted Thu March 25, 2021 10:03 AM
    Hi Akhilesh,

    I tested this by attempting to add multiple IP addresses into a reference set from the QRadar and it failed as well. However, there is a /bulk_load API call which is intended for your use case. This API call isn't part of our QRadar app at this time.

    ------------------------------
    Mark Scherfling
    ------------------------------



  • 3.  RE: Add multiple items to Reference Set in QRadar from Resilient

    Posted Fri March 26, 2021 01:25 AM
    Hi Mark,

    Thank you for your response.

    I have devised a workaround for this. Since, it is not possible to add multiple IP's from fn_qradar_function, I am adding all the IP's as artifact to the Incident from the script. Once the IP's get added as artifact, I have implemented a rule to add all those IP's to the Qradar Reference Set.

    Fortunately, it is working as expected.

    Thanks,

    ------------------------------
    Akhilesh Deshmukh,
    Data Analyst, SecurityHQ
    ------------------------------