IBM Security QRadar SOAR

Hi,

I would like to add {{ offense.start_time }} value to the Description field but after the escalation it appears in timestamp format:
Time: 1472222529259

But I need to display as the original field:
08/26/2016 16:42:09

How can I change the format inside the field?

Thank you!

Regards,
Adam

------------------------------
Adam Csurhes
------------------------------

Hi @Adam,

Unfortunately​, this is a limitation of the QRadar API (see page number 613 here) that is left untouched in the Resilient App for QRadar. Resilient could fix this by creating an illegitimate field for use in templates that handles the conversions on the app back-end before passing to the APIs, but this would require a bit of work. - Turns out, they did.

Another solution for this would be:

1. Create a rule that runs automatically on the QRadar Offense incident creation.
2. Create a script that updates incident description with a readable datetime string, rather than an epoch string.
   1. To do this, either using string parsing with split()  ... or use regex to find the epoch substring.
   2. Convert the epoch substring following this guide.
   3. Replace the epoch substring with the readable datetime string using replace()
3. Have the rule created in step #1 run the script created in step #2.

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility
------------------------------

Original Message:
Sent: Wed January 29, 2020 07:04 AM
From: Adam
Subject: Escalation Template Date format

Hi,

I would like to add {{ offense.start_time }} value to the Description field but after the escalation it appears in timestamp format:
Time: 1472222529259

But I need to display as the original field:
08/26/2016 16:42:09

How can I change the format inside the field?

Thank you!

Regards,
Adam

------------------------------
Adam Csurhes
------------------------------

Hi Adam, 

In an older version of both Resilient and QRadar we were able to change the start time from epoch in the Resilient escalation.  I do not know if this still works, as we've changed around our template, but it's probably worth a try. 

 {{offense.start_time |iso8601 }}

Good luck, 
Adina

------------------------------
Adina Bodkins
------------------------------

Original Message:
Sent: Wed January 29, 2020 07:04 AM
From: Adam
Subject: Escalation Template Date format

Hi,

I would like to add {{ offense.start_time }} value to the Description field but after the escalation it appears in timestamp format:
Time: 1472222529259

But I need to display as the original field:
08/26/2016 16:42:09

How can I change the format inside the field?

Thank you!

Regards,
Adam

------------------------------
Adam Csurhes
------------------------------

Good spot Adina. It looks like Resilient did tackle this issue (and others) in app for QRadar.

See page 18 of the "QRadar Integration Guide"

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility
------------------------------

Original Message:
Sent: Thu January 30, 2020 08:20 AM
From: Adina Bodkins
Subject: Escalation Template Date format

Hi Adam, 

In an older version of both Resilient and QRadar we were able to change the start time from epoch in the Resilient escalation.  I do not know if this still works, as we've changed around our template, but it's probably worth a try. 

 {{offense.start_time |iso8601 }}

Good luck, 
Adina

------------------------------
Adina Bodkins

Original Message:
Sent: Wed January 29, 2020 07:04 AM
From: Adam
Subject: Escalation Template Date format

Hi,

I would like to add {{ offense.start_time }} value to the Description field but after the escalation it appears in timestamp format:
Time: 1472222529259

But I need to display as the original field:
08/26/2016 16:42:09

How can I change the format inside the field?

Thank you!

Regards,
Adam

------------------------------
Adam Csurhes
------------------------------

Hi Adina,

It works, thank you very much for your help.

Regards,
Adam

------------------------------
Adam
------------------------------

Original Message:
Sent: Thu January 30, 2020 08:20 AM
From: Adina Bodkins
Subject: Escalation Template Date format

Hi Adam, 

In an older version of both Resilient and QRadar we were able to change the start time from epoch in the Resilient escalation.  I do not know if this still works, as we've changed around our template, but it's probably worth a try. 

 {{offense.start_time |iso8601 }}

Good luck, 
Adina

------------------------------
Adina Bodkins

Original Message:
Sent: Wed January 29, 2020 07:04 AM
From: Adam
Subject: Escalation Template Date format

Hi,

I would like to add {{ offense.start_time }} value to the Description field but after the escalation it appears in timestamp format:
Time: 1472222529259

But I need to display as the original field:
08/26/2016 16:42:09

How can I change the format inside the field?

Thank you!

Regards,
Adam

------------------------------
Adam Csurhes
------------------------------