IBM QRadar SOAR

Hello, 
 Im trying to get some more queries on the workflow. I want to add source IP and destination IP for example.

DATEFORMAT (startime, 'YYYY-MM-dd HH:mm') as StartTime, NETWORKNAME(sourceip), NETWORKNAME(destinationip), CATEGORYNAME(category), LOGSOURCENAME(logsourceid), PROTOCOLNAME(protocolid),UTF8(payload),RULENAME(creeventlist)

But the workflow is not working when I add source ip and destination ip. Could be that the NETWORKNAME is innapropiate? Any documentation about thet?

Thank you.

------------------------------
Aitor Vivanco Santa Cruz
------------------------------

Hello Aitor,

Thanks for contacting us for information.

Please double check the spelling. There is a typo "startime" in the DATEFORMAT function call. That could be the reason.

Also, if you want to verify your AQL query, you can do it from the console. Go to the "Log Activity" tab and select "Advanced Search", and you can paste your AQL query there. This can tell you whether it is a problem of the AQL query or the function integration.

Thanks,

Yongjian

------------------------------
Yongjian Feng
------------------------------

Original Message:
Sent: Mon November 25, 2019 08:05 AM
From: Aitor Vivanco Sata Cruz
Subject: Search Qradar for offense id

Hello, 
 Im trying to get some more queries on the workflow. I want to add source IP and destination IP for example.

DATEFORMAT (startime, 'YYYY-MM-dd HH:mm') as StartTime, NETWORKNAME(sourceip), NETWORKNAME(destinationip), CATEGORYNAME(category), LOGSOURCENAME(logsourceid), PROTOCOLNAME(protocolid),UTF8(payload),RULENAME(creeventlist)

But the workflow is not working when I add source ip and destination ip. Could be that the NETWORKNAME is innapropiate? Any documentation about thet?

Thank you.

------------------------------
Aitor Vivanco Santa Cruz
------------------------------

First, there is a typo: "startime" should be "starttime".  Second, I cannot exactly tell what info you want, but FYI, you can try out your queries in QRadar's "Log Activity" tab, using "Advanced Search" (be sure to update the drop-down lists for Start Time and End Time accordingly).

------------------------------
Carol Namkoong
------------------------------

Original Message:
Sent: Mon November 25, 2019 08:05 AM
From: Aitor Vivanco Sata Cruz
Subject: Search Qradar for offense id

Hello, 
 Im trying to get some more queries on the workflow. I want to add source IP and destination IP for example.

DATEFORMAT (startime, 'YYYY-MM-dd HH:mm') as StartTime, NETWORKNAME(sourceip), NETWORKNAME(destinationip), CATEGORYNAME(category), LOGSOURCENAME(logsourceid), PROTOCOLNAME(protocolid),UTF8(payload),RULENAME(creeventlist)

But the workflow is not working when I add source ip and destination ip. Could be that the NETWORKNAME is innapropiate? Any documentation about thet?

Thank you.

------------------------------
Aitor Vivanco Santa Cruz
------------------------------