IBM QRadar SOAR

 View Only
  • 1.  How to do time calculation from current time in SOAR playbook

    Posted Fri October 04, 2024 04:40 PM

    I have an API integration that needs to specific the search start and end timestamps. 

    Can I do time calculation in the SOAR playbook?

    For example, if I want to search 7 days of data.   

    Start Time: 10/1/2024T00:00:000-07:00  (This field will be calculated using current time - 7 days)
    End Time:  10/8/2024T00:00:000-07:00 (This field will be fill by current time value)

    I looked up some examples on the Internet, some suggested to use the timedelta module, but SOAR doesn't recognize the function.

     



    ------------------------------
    Raymond Tam
    ------------------------------


  • 2.  RE: How to do time calculation from current time in SOAR playbook
    Best Answer

    Posted Mon October 07, 2024 03:55 AM

    Hi Raymond

    The following is my experiences to put python3 variable data into SOAR date time picker fields.

    Given that you use

        python3

        SOAR date time picker fields: start_time, end_time

    Script is like this:

    from datetime import datetime, timedelta
    end_time = datetime.fromisoformat('2024-10-08T00:00:000+07:00')
    start_time = end_time - timedelta(days=7)
    incident.properties.start_time = int(start_time.timestamp()*1000)
    incident.properties.end_time = int(end_time.timestamp()*1000)

    To put python variable data into a SOAR date time picker field, there are some points:

          1. convert python variable data from datetime fields to timestamp() object (msec)

          2. Then result data should be multiplied with 1000 to convert to microsecond order. (with decimal point)

          3. Since SOAR date time picker field only accept integer, convert decimal point to integer.



    ------------------------------
    Yohji Amano
    ------------------------------



  • 3.  RE: How to do time calculation from current time in SOAR playbook

    Posted 30 days ago

    Great!  Thanks for the suggestion.



    ------------------------------
    Raymond Tam
    ------------------------------