IBM Security QRadar SOAR

 View Only
  • 1.  Is is possible to populate AQL results from qradar in a data table ?

    Posted Thu September 16, 2021 06:03 PM
    Dear Community,

    We are using Qradar search function to fetch results from Qradar, but it gives us output as a CSV in attachment tab . I wonder is it possible to fetch results from qradar events through AQL and populate the results In a data table?

    ------------------------------
    Mohsin Ali
    ------------------------------


  • 2.  RE: Is is possible to populate AQL results from qradar in a data table ?

    IBM Champion
    Posted Fri September 17, 2021 10:02 AM
    Mohsin,

    Are you using the qradar_search function from this integration? Would you mind sharing a screenshot of the workflow you are using?

    ------------------------------
    Liam Mahoney
    ------------------------------



  • 3.  RE: Is is possible to populate AQL results from qradar in a data table ?

    Posted Sun September 19, 2021 08:04 AM
    HI Liam, 

    I am using https://exchange.xforce.ibmcloud.com/hub/extension/a9bcc3eaebf2a6efc04258b4964a48a4. there is no workflow in there it takes parameters as input 
    SS for Rule 

    How it look like when we query an artifact 




    ------------------------------
    Mohsin Ali
    ------------------------------



  • 4.  RE: Is is possible to populate AQL results from qradar in a data table ?

    Posted Mon September 20, 2021 09:11 AM
    If you are using the IBM SOAR QRadar Plugin integration in QRadar, it will by default populate CSV Table, this is the output format of this App.
    You could use the QRadar Functions for SOAR app that allow to use the Search function to design an AQL query in a workflow, and populate the result in a table
    You can also use the QRadar Enhanced Data Migration app that is populating directly the main top tables, with direct link to the new pivot AQL design in QRadar, speeding the result when the analyst wants to pivot directly in QRadar, but it will look like he is still in SOAR

    I strongly suggest you used ALL of them :)

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------



  • 5.  RE: Is is possible to populate AQL results from qradar in a data table ?

    Posted Wed September 22, 2021 03:39 PM

    Hi Mohsin,

    As Benoit mentioned above there are various options using the different apps that we have available for the QRadar SOAR integration.However if you were looking for an out of the box experience where you would get information such as Events, Flows, Contributing Rules, Assets, Source/Dest IP and Categories all in respective data tables with live links to QRadar - I would highly recommend the QRadar Enhanced Data Migration app.

    The queries for each of the datatables is highly customizable. Attaching a sample here



    ------------------------------
    Chaitanya Challa
    ------------------------------