QRadar connector - Custom fields ingested

Question

Hello,I have a QRadar connector configured on my SOAR instance, it is working fine, the logs arrive correctly and cases are being generated.The issue is that in QRadar there are some Custom Fields that are not ingested correctly.I do have configured the custom fields on the connector page like this:The fact is that I get the Filename and Request field, but I got some issue on the "SHA 256" field, I think the problem is the space present in the custom field.How do the SOAR translate the space? Do I have to write SHA_256 or something like this?Thanks in advance!

ylandovskyy · Accepted Answer

Hey @Lun ,The way this connector fetches data is by building an AQL query. I would suggest to check, how you need to provide custom fields with whitespace inside Qradar first. It's been a while since I worked on Qradar, but maybe 'SHA 256' input with quotes will be the one needed. Though, there maybe a need to do escaping as well.

Lun · Answer

Hey @Lun ,The way this connector fetches data is by building an AQL query. I would suggest to check, how you need to provide custom fields with whitespace inside Qradar first. It's been a while since I worked on Qradar, but maybe 'SHA 256' input with quotes will be the one needed. Though, there maybe a need to do escaping as well. Thanks @ylandovskyy!I checked the connector details, I found the Query that the connector launches on Qradar and I saw that the custom field is automatically put between double quotes, so my configuration was right! but SOAR decided to hide the custom field I configured.All's well that ends well!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded