IBM Security QRadar SOAR

 View Only
  • 1.  Get Unique count of Destination port from Data table of an incident

    Posted Fri February 14, 2020 10:46 AM
    The data table associated with an incident has a column 'Destination Port' which contains various destination ports. I want to get the unique count of the destination ports and insert into a field in the incident. I just want to access the 'Destination Port' column of the Data Table. How can I solve this thing?

    ------------------------------
    Akhilesh Deshmukh
    ------------------------------


  • 2.  RE: Get Unique count of Destination port from Data table of an incident

    Posted Thu February 20, 2020 12:16 PM

    If you have Rule written for your datatable, you can execute a script will exposes the row object. Then you can access your column as row['destination_port'] (note the use of the column's api name). From there, your logic could look like this:

    count = row['destination_port'].split(',') # choose the separator character
    incident.properties.port_count = count



    ------------------------------
    Mark Scherfling
    ------------------------------



  • 3.  RE: Get Unique count of Destination port from Data table of an incident

    Posted Fri February 21, 2020 06:21 AM
    Thanks Mark for your response. Just a query. The data table we are using is qradar_offense_event. I have associated the script with the rule. But it seems the above code is not working. I am just getting count of 1. It is getting only one row whereas the data table contains more than 100 rows. What should I do?

    ------------------------------
    Akhilesh Deshmukh
    ------------------------------



  • 4.  RE: Get Unique count of Destination port from Data table of an incident

    Posted Tue February 25, 2020 10:51 AM
    Akhilesh,

    I think what Mark is saying is that in a Data Table script, you get access to the row object but not the whole data table.  ​I'd love to see IBM expose Data Table objects, because there are some things I'd like to do with data tables as well, like duplicate checking.  These limitations make data tables less useful.

    ------------------------------
    Brian Mathias
    ------------------------------