IBM Security QRadar

Hello. I'm zerah

I installed a LOOKUPS Content Extension on qradar siem.

When I try to run an advanced search, it makes a problem like this:

(26020) Custom function "lookups::cidrlist" encountered a runtime exception: Exception during invocation of script function "isMatched": Failed to perform get request [http://192.168.252.13/console/qradar/test_lookup.txt]: [ConnectException] Connection refused

AQL:

SELECT sourceip, QIDNAME(qid) AS EventName FROM events WHERE LOOKUPS::CIDRLIST('https://192.168.252.13/console/qradar/lookup_files/test_lookup.txt', sourceip, '{"nonsense_key":"points to nonsense value."}') IS NOT NULL

What do you see as the problem?

Because of security concenrs, the ability of a Custom AQL function to connect back to QRadar in the manner that this script uses, has been removed.  Thus this function (and the others like it in that content pack) will not work on newer versions of QRadar.

pfh

Hello. I'm zerah

I installed a LOOKUPS Content Extension on qradar siem.

When I try to run an advanced search, it makes a problem like this:

(26020) Custom function "lookups::cidrlist" encountered a runtime exception: Exception during invocation of script function "isMatched": Failed to perform get request [http://192.168.252.13/console/qradar/test_lookup.txt]: [ConnectException] Connection refused

AQL:

SELECT sourceip, QIDNAME(qid) AS EventName FROM events WHERE LOOKUPS::CIDRLIST('https://192.168.252.13/console/qradar/lookup_files/test_lookup.txt', sourceip, '{"nonsense_key":"points to nonsense value."}') IS NOT NULL

What do you see as the problem?

Because of security concenrs, the ability of a Custom AQL function to connect back to QRadar in the manner that this script uses, has been removed.  Thus this function (and the others like it in that content pack) will not work on newer versions of QRadar.

pfh

Hello. I'm zerah

I installed a LOOKUPS Content Extension on qradar siem.

When I try to run an advanced search, it makes a problem like this:

(26020) Custom function "lookups::cidrlist" encountered a runtime exception: Exception during invocation of script function "isMatched": Failed to perform get request [http://192.168.252.13/console/qradar/test_lookup.txt]: [ConnectException] Connection refused

AQL:

SELECT sourceip, QIDNAME(qid) AS EventName FROM events WHERE LOOKUPS::CIDRLIST('https://192.168.252.13/console/qradar/lookup_files/test_lookup.txt', sourceip, '{"nonsense_key":"points to nonsense value."}') IS NOT NULL

What do you see as the problem?

Okay. Thank you.

I solved this problem by creating a new webserver instead of QRadar.

Because of security concenrs, the ability of a Custom AQL function to connect back to QRadar in the manner that this script uses, has been removed.  Thus this function (and the others like it in that content pack) will not work on newer versions of QRadar.

pfh

Hello. I'm zerah

I installed a LOOKUPS Content Extension on qradar siem.

When I try to run an advanced search, it makes a problem like this:

(26020) Custom function "lookups::cidrlist" encountered a runtime exception: Exception during invocation of script function "isMatched": Failed to perform get request [http://192.168.252.13/console/qradar/test_lookup.txt]: [ConnectException] Connection refused

AQL:

SELECT sourceip, QIDNAME(qid) AS EventName FROM events WHERE LOOKUPS::CIDRLIST('https://192.168.252.13/console/qradar/lookup_files/test_lookup.txt', sourceip, '{"nonsense_key":"points to nonsense value."}') IS NOT NULL

What do you see as the problem?