IBM Security QRadar SOAR

 View Only
  • 1.  Parsing from the incident payload table

    Posted Wed February 12, 2020 06:14 AM
    Edited by Aitor Vivanco Santa Cruz Wed February 12, 2020 06:19 AM
    Hello,

    Im using the workflow "Qradar search for offense ID". I was able to extract the payload with UTF-8(payload) query. Then, i want to parse to extract some information from that payload and put as incident field. For example, the group name and group domain. Are remarked on the photo.

    Is possible this exercise? It would help me a lot. 


    Table name: qradar_offense_event
    Column name: payload

    Thank you.

    ------------------------------
    Aitor Vivanco Santa Cruz
    ------------------------------


  • 2.  RE: Parsing from the incident payload table

    Posted Fri February 14, 2020 08:45 AM
    Hi Aitor

    So is it one big string you want to parse the group name and the group domain from?

    You can use python split() method to operate on the string if you know the delimiters.
    Using split on the big string: string.split('Nombre de grupo:') would return 2 strings: the first string would contain the
    the substring of the big string ending in 'Nombre de grupo:' and the second string would contain
    the rest of the big string.  You could then split the second string on 'Dominio de grups' and the first
    string of that split would contain the group number with those extra characters that you need to parse out.
    Then split second string again to get the group domain.

    Does that help?

    AnnMarie



    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 3.  RE: Parsing from the incident payload table

    Posted Fri February 14, 2020 09:05 AM
    Hi AnnMarie,

    I want to get the results of "Nombre del Grupo" and "Dominio del Grupo" (which are CPA Comercial and Coren, as you see on the payload). And then, put into the fields of incident details. So the python split() could work for that?

    Thank you

    ------------------------------
    Aitor Vivanco Santa Cruz
    ------------------------------



  • 4.  RE: Parsing from the incident payload table

    Posted Fri February 14, 2020 01:01 PM
    Hi Aitor,

    Where are you trying to do the parsing of the string?  In a workflow post processor script?

    Python regex would probably be the best thing to use for parsing the string but that is not available in scripts.
    split(), lstrip(), rstrip() and strip() can be used in a script to split the string and then strip off characters.
    and
    Can you control the format of the string?  It seems like the '[09' substring is ascii code for TAB and '[0D' is ascii
    code for CR?

    AnnMarie

    ------------------------------
    AnnMarie Norcross
    ------------------------------



  • 5.  RE: Parsing from the incident payload table

    Posted Sat February 15, 2020 05:06 AM
    Hello AnnMarie,

    I didn't have planned yet for do the script, because I don't know if there is any possibility for that. The string format can be controlled, yes. "It seems like the '[09' substring is ascii code for TAB and '[0D' is ascii
    code for CR?" - Yes, thats right.

    Best regards

    ------------------------------
    Aitor Vivanco Santa Cruz
    ------------------------------