IBM Security QRadar SOAR

Hello,
It´s possible get the incident payload by doing an Qradar Ariel Query? The same payload which appears on the Log Activity?
Thank You.

------------------------------
Aitor Vivanco Sata Cruz
------------------------------

Hi Aitor

I am looking at the QRadar plugin that performs the Ariel search and it prints the results to the log but it also posts the results to the incident as an attachment.  If you go to the Attachment tab of the Incident in Resilient, do you see the same results posted there?

AnnMarie

------------------------------
AnnMarie Norcross
------------------------------

Original Message:
Sent: Tue November 12, 2019 04:13 AM
From: Aitor Vivanco Sata Cruz
Subject: QRadar Ariel Query from Artifact

Hello,
It´s possible get the incident payload by doing an Qradar Ariel Query? The same payload which appears on the Log Activity?
Thank You.

------------------------------
Aitor Vivanco Sata Cruz
------------------------------

Original Message------

Hi Aitor

I am looking at the QRadar plugin that performs the Ariel search and it prints the results to the log but it also posts the results to the incident as an attachment.  If you go to the Attachment tab of the Incident in Resilient, do you see the same results posted there?

AnnMarie

------------------------------
AnnMarie Norcross
------------------------------

You must modify the AQL you are using to include the payload within the results.

SELELECT UTF8(payload)


See more on AQL fields here:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/c_aql_even_flow_fields_ref.html

------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility
------------------------------

Original Message:
Sent: Wed November 13, 2019 02:35 AM
From: Aitor Vivanco Sata Cruz
Subject: QRadar Ariel Query from Artifact

Hi AnnMarie

It creates a CSV with some details, but instead of that I would like to create the whole payload information on the CSV. I mean, extract the same log text that appears on the Log Activity > Event

Thank you.

 

Original Message------

Hi Aitor

I am looking at the QRadar plugin that performs the Ariel search and it prints the results to the log but it also posts the results to the incident as an attachment.  If you go to the Attachment tab of the Incident in Resilient, do you see the same results posted there?

AnnMarie

------------------------------
AnnMarie Norcross
------------------------------

Hello Jared,

It works! Thank you for the help too.

------------------------------
Aitor Vivanco Sata Cruz
------------------------------

Original Message:
Sent: Thu November 14, 2019 09:57 AM
From: Jared Fagel
Subject: QRadar Ariel Query from Artifact

You must modify the AQL you are using to include the payload within the results.

SELELECT UTF8(payload)


See more on AQL fields here:
https://www.ibm.com/support/knowledgecenter/SS42VS_7.3.1/com.ibm.qradar.doc/c_aql_even_flow_fields_ref.html

------------------------------
Jared Fagel
Cyber Security Analyst Intern
Public Utility

Original Message:
Sent: Wed November 13, 2019 02:35 AM
From: Aitor Vivanco Sata Cruz
Subject: QRadar Ariel Query from Artifact

Hi AnnMarie

It creates a CSV with some details, but instead of that I would like to create the whole payload information on the CSV. I mean, extract the same log text that appears on the Log Activity > Event

Thank you.

 

Original Message------

Hi Aitor

I am looking at the QRadar plugin that performs the Ariel search and it prints the results to the log but it also posts the results to the incident as an attachment.  If you go to the Attachment tab of the Incident in Resilient, do you see the same results posted there?

AnnMarie

------------------------------
AnnMarie Norcross
------------------------------