Hi Mark,
Thank you for your response.
I have devised a workaround for this. Since, it is not possible to add multiple IP's from fn_qradar_function, I am adding all the IP's as artifact to the Incident from the script. Once the IP's get added as artifact, I have implemented a rule to add all those IP's to the Qradar Reference Set.
Fortunately, it is working as expected.
Thanks,
------------------------------
Akhilesh Deshmukh,
Data Analyst, SecurityHQ
------------------------------
Original Message:
Sent: Thu March 25, 2021 10:03 AM
From: Mark Scherfling
Subject: Add multiple items to Reference Set in QRadar from Resilient
Hi Akhilesh,
I tested this by attempting to add multiple IP addresses into a reference set from the QRadar and it failed as well. However, there is a /bulk_load API call which is intended for your use case. This API call isn't part of our QRadar app at this time.
------------------------------
Mark Scherfling
Original Message:
Sent: Thu March 25, 2021 06:38 AM
From: Akhilesh Deshmukh
Subject: Add multiple items to Reference Set in QRadar from Resilient
Hi All,
I am trying to add multiple IP's from Resilient to QRadar Reference Set. However, I am getting 422 status_code saying 'The request was well-formed but was unable to be followed due to semantic errors'.
When I try to add a single IP, it gets add perfectly. But when I try to pass lets say, two IP's comma separated, it throws me above error. In actual scenarios, there could be multiple IPs (more than two) to be added in Reference set.
Can anyone please advise how can we achieve adding multiple IPs to Reference Set in QRadar ??
Thanks,
------------------------------
Akhilesh Deshmukh,
Data Analyst, SecurityHQ
------------------------------