Hi all
I am performing custom AQL query to QRADAR from SOAR to get additional payload on to the existing incident. Followed
Example of searching QRadar events using offense id workflowActivities performed:
- qradar search function is used
- modified post processing script to reflect new fields
- created new data table
AQL query: SELECT %param1% FROM events WHERE INOFFENSE(%param2%) LAST %param3% DAYS
param1 = QIDNAME(qid) as 'Event Name',"Logon IP" as 'Logon IP',"Logon Location" as 'Logon Location',"username" as 'username'
preprocessing script : 'inputs.qradar_query_param2 = incident.properties.qradar_id'
if rule.properties.qradar_query_all_results:
inputs.qradar_query_all_results = rule.properties.qradar_query_all_results
postprocessing script:for event in results.events:
qradar_event = incident.addRow("qradar_logon_event")
qradar_event.LogonLocation = event.LogonLocation
qradar_event.username = event.username
qradar_event.Event_Name = event.EventName
qradar_event.Logonip = event.logonip
Error observed:
An error occurred while processing the action acknowledgement. Additional information: Unable to run the post-processing script for Function QRadar Search due to the following errors: Invalid field name: LogonLocation
Any leads on where this needs to be corrected ?
i have created a datatable with the fields as well but no luck
------------------------------
Vijay Reddy
------------------------------