IBM QRadar SOAR

IBM QRadar SOAR

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  How to Show Top 10 Event Names in SOAR Incident Outbound Email from QRadar Offense Details

    Posted Mon May 05, 2025 10:45 AM
    Hi everyone,
     
    I'm working on customizing an outbound email template in IBM SOAR and need help with extracting specific offense-related data from QRadar.
     
    I want to display the Top 10 Event Names that are part of a QRadar offense (as shown under the "QRadar Offense Details" tab in the SOAR incident) within the email body.
     
    Has anyone done this before or can guide me on how to extract and format these event names in the email template?
     
    Any script examples, extension tips, or documentation references would be highly appreciated.
     
    Thanks in advance!
     
    Best regards,



    ------------------------------
    Abdlrahman moghazy
    ------------------------------


  • 2.  RE: How to Show Top 10 Event Names in SOAR Incident Outbound Email from QRadar Offense Details

    Posted Mon May 05, 2025 11:14 AM

    The following added to the template would return a string comma-separated list of the top event names.

    {% set topEventNames = template_helper.get_datatable_value_array(template_helper.get_incident_value(incident, 'id'), 'qr_offense_top_events', 'event_name') %}


    ------------------------------
    Richard Swierk
    ------------------------------

    Original Message


  • 3.  RE: How to Show Top 10 Event Names in SOAR Incident Outbound Email from QRadar Offense Details

    Posted Mon May 05, 2025 01:36 PM

    Dear Mr. Richard Swierk,

    Thank you for your support.

    Could you please clarify where exactly I should place the command, and which macro should be used with it?
    Should I use:

    • macro get_note(note, get_children=True)

    • macro get_row(label, field_name)

    • or macro get_artifact(art)?

    Your guidance is highly appreciated.

    Best regards,



    ------------------------------
    Abdlrahman moghazy
    ------------------------------

    Original Message


  • 4.  RE: How to Show Top 10 Event Names in SOAR Incident Outbound Email from QRadar Offense Details

    Posted Mon May 05, 2025 03:23 PM

    None of those macros should be used.

    The command {% set topEventNames = template_helper.get_datatable_value_array(template_helper.get_incident_value(incident, 'id'), 'qr_offense_top_events', 'event_name') %} will create a variable named topEventNames that's value will be a list of all the top event names from the data table qr_offense_top_events. You can then take that list and format it how you want in the email template.



    ------------------------------
    Richard Swierk
    ------------------------------

    Original Message


Related Content