IBM Security QRadar SOAR

Hi
The documentation for the QRadar Enhanced Data Migration app version 2.0.0 mentions 4 times a field called "qradar_query_type" without documenting the values it can take.  In the examples included within the pdf, we can see that some possible values are:
inputs.qradar_query_type = "offenserules"
or
inputs.qradar_query_type = "categories"
But if we look at the example workflow "Example of searching QRadar Top Events using offense id" pre-processing script, we see that another possible value (not mentioned in the documentation) could be:
inputs.qradar_query_type = "topevents"

Would it be possible to update the documentation for this app and describe all the possible values for this parameter.

Also, there are some new input parameters that appeared in the new version like "inputs.soar_table_name" and "inputs.soar_incident_id".  There is no description of what they do or what they are used for, they only appear with the code examples.

Thanks to whoever will be able to clarify the meaning and values fot those parameter :-)

------------------------------
Pierre Dufresne
------------------------------

I will be updating the documentation to add this information.
When used with the qradar_offense_summary function "qradar_query_type" can equal: "offensesummary", "offenserules", or "offenseassets".
When used with the qradar_top_events function "qradar_query_type" can equal: "flows", "topevents", "categories", "destinationip", or "sourceip".

The "soar_table_name" parameter is for use with the poller. It gives the name of the data table that the workflow updates, so that it can be cleared is specified in the app.config.

The "soar_incident_id" parameter is also used for the poller to clear a given data table in the given SOAR incident.

------------------------------
Richard Swierk
------------------------------

Original Message:
Sent: Thu July 14, 2022 09:41 AM
From: Pierre Dufresne
Subject: Incomplete documentation for app QRadar Enhanced Data Migration

Hi
The documentation for the QRadar Enhanced Data Migration app version 2.0.0 mentions 4 times a field called "qradar_query_type" without documenting the values it can take.  In the examples included within the pdf, we can see that some possible values are:
inputs.qradar_query_type = "offenserules"
or
inputs.qradar_query_type = "categories"
But if we look at the example workflow "Example of searching QRadar Top Events using offense id" pre-processing script, we see that another possible value (not mentioned in the documentation) could be:
inputs.qradar_query_type = "topevents"

Would it be possible to update the documentation for this app and describe all the possible values for this parameter.

Also, there are some new input parameters that appeared in the new version like "inputs.soar_table_name" and "inputs.soar_incident_id".  There is no description of what they do or what they are used for, they only appear with the code examples.

Thanks to whoever will be able to clarify the meaning and values fot those parameter :-)

------------------------------
Pierre Dufresne
------------------------------