IBM Security QRadar SOAR

Hi,
I wrote a simple playbook in which I am using the QRadar Search function from the fn_qradar_integration App.
I want to use the script method to provide the function inputs.
I modeled my script from the workflow example provided with the App.
After many tries wihich yielded many different errors I am calling for help.
You will find below the code of my input script.  Could someone help me with the correct syntax.
Thanks

inputs.qradar_query = "SELECT %param1% FROM events WHERE INOFFENSE(%param2%) LAST %param3% MINUTES"

inputs.qradar_query_param1 = DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm') as StartTime, CATEGORYNAME(category), LOGSOURCENAME(logsourceid), PROTOCOLNAME(protocolid), RULENAME(creeventlist),"Threat Name" as Menace,"Source Workstation" as SourceMenace,"File Path" as Filepath

inputs.qradar_query_param2 = incident.properties.qradar_id

inputs.qradar_query_param3 = 43320

inputs.qradar_query_range_start = 1

inputs.qradar_query_all_results = "No"

------------------------------
Pierre Dufresne
------------------------------

Hi Pierre,
1. Can you check the AQL on Qradar itself? Does it provide results?
2. Check the incident.properties.qradar_id field. Does it have a correct value?
3. What kind of errors do you have?

BR,



------------------------------
Alexander Saulenko
------------------------------

Original Message:
Sent: Thu October 07, 2021 03:45 PM
From: Pierre Dufresne
Subject: How to set the parameters of the QRadar Search function in a playbook script

Hi,
I wrote a simple playbook in which I am using the QRadar Search function from the fn_qradar_integration App.
I want to use the script method to provide the function inputs.
I modeled my script from the workflow example provided with the App.
After many tries wihich yielded many different errors I am calling for help.
You will find below the code of my input script.  Could someone help me with the correct syntax.
Thanks

inputs.qradar_query = "SELECT %param1% FROM events WHERE INOFFENSE(%param2%) LAST %param3% MINUTES"

inputs.qradar_query_param1 = DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm') as StartTime, CATEGORYNAME(category), LOGSOURCENAME(logsourceid), PROTOCOLNAME(protocolid), RULENAME(creeventlist),"Threat Name" as Menace,"Source Workstation" as SourceMenace,"File Path" as Filepath

inputs.qradar_query_param2 = incident.properties.qradar_id

inputs.qradar_query_param3 = 43320

inputs.qradar_query_range_start = 1

inputs.qradar_query_all_results = "No"

------------------------------
Pierre Dufresne
------------------------------

Hi Alexander,

Thanks for your reply.
I did check the AQL in QRadar and it worked.
Here is how I solved my problem: I am now building the whole query in the "inputs.qradar_query " and in doing so, I am not relying on the "%param1%" syntax of the example.
It is now working.  Thanks to you for suggesting to try the query in QRadar.

------------------------------
Pierre Dufresne
------------------------------

Original Message:
Sent: Mon October 11, 2021 02:29 AM
From: Alexander Saulenko
Subject: How to set the parameters of the QRadar Search function in a playbook script

Hi Pierre,
1. Can you check the AQL on Qradar itself? Does it provide results?
2. Check the incident.properties.qradar_id field. Does it have a correct value?
3. What kind of errors do you have?

BR,



------------------------------
Alexander Saulenko

Original Message:
Sent: Thu October 07, 2021 03:45 PM
From: Pierre Dufresne
Subject: How to set the parameters of the QRadar Search function in a playbook script

Hi,
I wrote a simple playbook in which I am using the QRadar Search function from the fn_qradar_integration App.
I want to use the script method to provide the function inputs.
I modeled my script from the workflow example provided with the App.
After many tries wihich yielded many different errors I am calling for help.
You will find below the code of my input script.  Could someone help me with the correct syntax.
Thanks

inputs.qradar_query = "SELECT %param1% FROM events WHERE INOFFENSE(%param2%) LAST %param3% MINUTES"

inputs.qradar_query_param1 = DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm') as StartTime, CATEGORYNAME(category), LOGSOURCENAME(logsourceid), PROTOCOLNAME(protocolid), RULENAME(creeventlist),"Threat Name" as Menace,"Source Workstation" as SourceMenace,"File Path" as Filepath

inputs.qradar_query_param2 = incident.properties.qradar_id

inputs.qradar_query_param3 = 43320

inputs.qradar_query_range_start = 1

inputs.qradar_query_all_results = "No"

------------------------------
Pierre Dufresne
------------------------------

I agree that the function is confusing. I ended up ripping it apart and remaking it. I created an issue on the SOAR GitHub about this, hoping they'll consider making similar changes to what I did. Feel free to reference my code.

Reference: https://github.com/ibmresilient/resilient-community-apps/issues/52

------------------------------
Jared Fagel
Cyber Security Analyst
ALLETE Inc.
------------------------------

Original Message:
Sent: Tue October 12, 2021 11:43 AM
From: Pierre Dufresne
Subject: How to set the parameters of the QRadar Search function in a playbook script

Hi Alexander,

Thanks for your reply.
I did check the AQL in QRadar and it worked.
Here is how I solved my problem: I am now building the whole query in the "inputs.qradar_query " and in doing so, I am not relying on the "%param1%" syntax of the example.
It is now working.  Thanks to you for suggesting to try the query in QRadar.

------------------------------
Pierre Dufresne

Original Message:
Sent: Mon October 11, 2021 02:29 AM
From: Alexander Saulenko
Subject: How to set the parameters of the QRadar Search function in a playbook script

Hi Pierre,
1. Can you check the AQL on Qradar itself? Does it provide results?
2. Check the incident.properties.qradar_id field. Does it have a correct value?
3. What kind of errors do you have?

BR,



------------------------------
Alexander Saulenko

Original Message:
Sent: Thu October 07, 2021 03:45 PM
From: Pierre Dufresne
Subject: How to set the parameters of the QRadar Search function in a playbook script

Hi,
I wrote a simple playbook in which I am using the QRadar Search function from the fn_qradar_integration App.
I want to use the script method to provide the function inputs.
I modeled my script from the workflow example provided with the App.
After many tries wihich yielded many different errors I am calling for help.
You will find below the code of my input script.  Could someone help me with the correct syntax.
Thanks

inputs.qradar_query = "SELECT %param1% FROM events WHERE INOFFENSE(%param2%) LAST %param3% MINUTES"

inputs.qradar_query_param1 = DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm') as StartTime, CATEGORYNAME(category), LOGSOURCENAME(logsourceid), PROTOCOLNAME(protocolid), RULENAME(creeventlist),"Threat Name" as Menace,"Source Workstation" as SourceMenace,"File Path" as Filepath

inputs.qradar_query_param2 = incident.properties.qradar_id

inputs.qradar_query_param3 = 43320

inputs.qradar_query_range_start = 1

inputs.qradar_query_all_results = "No"

------------------------------
Pierre Dufresne
------------------------------