IBM Security SOAR

Expand all | Collapse all

Is is possible to populate AQL results from qradar in a data table ?

  • 1.  Is is possible to populate AQL results from qradar in a data table ?

    Posted 29 days ago
    Dear Community,

    We are using Qradar search function to fetch results from Qradar, but it gives us output as a CSV in attachment tab . I wonder is it possible to fetch results from qradar events through AQL and populate the results In a data table?

    ------------------------------
    Mohsin Ali
    ------------------------------


  • 2.  RE: Is is possible to populate AQL results from qradar in a data table ?

    Posted 28 days ago
    Mohsin,

    Are you using the qradar_search function from this integration? Would you mind sharing a screenshot of the workflow you are using?

    ------------------------------
    Liam Mahoney
    ------------------------------



  • 3.  RE: Is is possible to populate AQL results from qradar in a data table ?

    Posted 25 days ago
    If you are using the IBM SOAR QRadar Plugin integration in QRadar, it will by default populate CSV Table, this is the output format of this App.
    You could use the QRadar Functions for SOAR app that allow to use the Search function to design an AQL query in a workflow, and populate the result in a table
    You can also use the QRadar Enhanced Data Migration app that is populating directly the main top tables, with direct link to the new pivot AQL design in QRadar, speeding the result when the analyst wants to pivot directly in QRadar, but it will look like he is still in SOAR

    I strongly suggest you used ALL of them :)

    ------------------------------
    BENOIT ROSTAGNI
    ------------------------------



  • 4.  RE: Is is possible to populate AQL results from qradar in a data table ?

    Posted 26 days ago
    HI Liam, 

    I am using https://exchange.xforce.ibmcloud.com/hub/extension/a9bcc3eaebf2a6efc04258b4964a48a4. there is no workflow in there it takes parameters as input 
    SS for Rule 

    How it look like when we query an artifact 




    ------------------------------
    Mohsin Ali
    ------------------------------



  • 5.  RE: Is is possible to populate AQL results from qradar in a data table ?

    Posted 23 days ago

    Hi Mohsin,

    As Benoit mentioned above there are various options using the different apps that we have available for the QRadar SOAR integration.However if you were looking for an out of the box experience where you would get information such as Events, Flows, Contributing Rules, Assets, Source/Dest IP and Categories all in respective data tables with live links to QRadar - I would highly recommend the QRadar Enhanced Data Migration app.

    The queries for each of the datatables is highly customizable. Attaching a sample here



    ------------------------------
    Chaitanya Challa
    ------------------------------