Dears,

I am new to IBm SOAR and i am trying to implement a new playbook using mainly "QRadar SIEM: QRadar Search" functions.

Below is a summary of the palybook:

First node is initiated based on artifact:
QRadar SIEM: QRadar Search
Output name: node1_search

node1_search results are as below:

{'events': [{'username': 'user1', 'sourceIP': '1.1.1.1', 'starttime': '1747479611111'}],...etc}
{'events': [{'username': 'user2', 'sourceIP': '2.2.2.2', 'starttime': '1747479622222'}],...etc}
{'events': [{'username': 'user3', 'sourceIP': '3.3.3.3', 'starttime': '1747479633333'}],...etc}

Second node is based on the previous results (events).

QRadar SIEM: QRadar Search
Output name: node2_search

I need to add a new "QRadar SIEM: QRadar Search" that should iterate over the previous results and perform the below searched on Qradar:

select destinationip from events where sourceip = '1.1.1.1' and starttime = '1747479611111' last 1 hour
select destinationip from events where sourceip = '2.2.2.2' and starttime = '1747479622222' last 1 hour
select destinationip from events where sourceip = '3.3.3.3' and starttime = '1747479633333' last 1 hour

Kinldy advise if this iteration is doable and how it can be done?

IF you need additional info please let me know.

------------------------------
Nabil Nehme
------------------------------

Hi Nabil , 

looping is not supported out of the box , but I was able to find a workaround.

I have mentioned it here.

repeat a function X time in a playbook | IBM QRadar SOAR

------------------------------
Mohamad islam Hamadieh
I post SOAR content and tips on linkedIn , follow me :)
https://linkedin.com/in/mohamadislam
------------------------------

Original Message:
Sent: Mon May 19, 2025 08:59 AM
From: Nabil Nehme
Subject: How to iterate through the results of a previous function (QRadar SIEM: QRadar Search)

Dears,

I am new to IBm SOAR and i am trying to implement a new playbook using mainly "QRadar SIEM: QRadar Search" functions.

Below is a summary of the palybook:

First node is initiated based on artifact:
QRadar SIEM: QRadar Search
Output name: node1_search

node1_search results are as below:

{'events': [{'username': 'user1', 'sourceIP': '1.1.1.1', 'starttime': '1747479611111'}],...etc}
{'events': [{'username': 'user2', 'sourceIP': '2.2.2.2', 'starttime': '1747479622222'}],...etc}
{'events': [{'username': 'user3', 'sourceIP': '3.3.3.3', 'starttime': '1747479633333'}],...etc}

Second node is based on the previous results (events).

QRadar SIEM: QRadar Search
Output name: node2_search

I need to add a new "QRadar SIEM: QRadar Search" that should iterate over the previous results and perform the below searched on Qradar:

select destinationip from events where sourceip = '1.1.1.1' and starttime = '1747479611111' last 1 hour
select destinationip from events where sourceip = '2.2.2.2' and starttime = '1747479622222' last 1 hour
select destinationip from events where sourceip = '3.3.3.3' and starttime = '1747479633333' last 1 hour

Kinldy advise if this iteration is doable and how it can be done?

IF you need additional info please let me know.

------------------------------
Nabil Nehme
------------------------------