IBM Security QRadar SOAR

 View Only
  • 1.  QRADAR search error | Invalid field name: qradar_query_param2

    Posted Thu September 22, 2022 11:30 AM
    when running a query through workflow below error is populated. This stopped working in production environment. No changes were applied.

    Unable to run the pre-processing script for Function 'QRadar Search' from Workflow 'Qradar : Extract Logon IP, Logon Location & User Principle Name' due to the following errors: Invalid field name: qradar_query_param2

    INPUT QUERY: SELECT QIDNAME(qid) as 'EventName',"Logon IP" as 'LogonIP',"Logon Location" as 'LogonLocation',"User Principal Name" as 'Username' FROM events WHERE INOFFENSE(%param1%) GROUP BY "EventName" LAST %param2% DAYS

    Pre-Process Script
    inputs.qradar_query_param1 = incident.properties.qradar_id
    if rule.properties.days:
    inputs.qradar_query_param2 = str(rule.properties.days)
    else:
    inputs.qradar_query_param2 = 30

    work arounds done: 

    adjusted preporcess script : 
    inputs.qradar_query_param1 = incident.properties.qradar_id 
    (removed other config) 

    input field adjusted SELECT QIDNAME(qid) as 'EventName',"Logon IP" as 'LogonIP',"Logon Location" as 'LogonLocation',"User Principal Name" as 'Username' FROM events WHERE INOFFENSE(%param1%) GROUP BY "EventName" LAST 3 DAYS


    any inputs on this ? could not understand where the issue is 


    ------------------------------
    Vijay Reddy
    ------------------------------


  • 2.  RE: QRADAR search error | Invalid field name: qradar_query_param2

    Posted Thu September 22, 2022 12:42 PM
    Hey Vijay, did u try to run this AQL in qradar log activity  advanced search, overwriting %param1% for the number of the offense?

    ------------------------------
    Charlie
    ------------------------------



  • 3.  RE: QRADAR search error | Invalid field name: qradar_query_param2

    Posted Thu September 22, 2022 03:55 PM
    Hi Charlie

    yes, it did work substituting the values as follows

    SELECT QIDNAME(qid) as 'EventName',"Logon IP" as 'LogonIP',"Logon Location" as 'LogonLocation',"User Principal Name" as 'Username' FROM events WHERE INOFFENSE(140709) GROUP BY "EventName" LAST 3 DAYS

    ------------------------------
    Vijay Reddy
    ------------------------------