IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

map field to table results in rule not being run with conditions met

  • 1.  map field to table results in rule not being run with conditions met

    Posted Tue April 18, 2023 12:22 PM

    I opened a support case, but they considered this 'best practice' not 'break/fix' and referred me here, but here goes nothing.

    1) we are mapping events from a security product to splunk, when conditions are met, we use the QRadar SOAR app for Splunk to send events to SOAR and map certain fields.

    2) I send an Active Directory username to SOAR in a certain field, then I run a script to populate it into a new row in the Contacts table.

    3) I have a workflow already in place that queries our Service Now to populate more information about the user - their email, manager, etc.

    4) This workflow kicks off automatically if we add username to the contacts table manually, BUT is not kicking off when the incident is created by splunk and the script runs to populate the username into the contacts table.

    Does anyone have any thoughts on why this may not be happening as I am expecting?

    Thanks, Chris



    ------------------------------
    Christopher Shearer
    ------------------------------


  • 2.  RE: map field to table results in rule not being run with conditions met

    Posted Wed April 19, 2023 07:53 AM

    Hi Chris

    Can you post the automatic rule conditions in SOAR that kick off the workflow that populates the data table?



    ------------------------------
    AnnMarie Norcross
    ------------------------------