https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-api-19-0-and-incoming-mapper-problem/m-p/556840#M2608 <P>That makes sense. If the field did not map to one of the incident types, is it possible that that key does not exist for that particular alert, or stored in a different location that the mapper does not read? Happy to jump on a call and take a look, but I would start by doing the following,</P> <P>&nbsp;</P> <P>* Add the server configuration - <STRONG>ingestion.samples.save-mapped&nbsp;</STRONG>and value would be <STRONG>true</STRONG>. This ensures that the raw data from the alert is captured in the incident for us to review.</P> <P>* Ingest a few QRadar alerts. After adding the above config, you should see the ${incident.rawJSON} field populate for every incident you ingest(not limited to one type)</P> <P>* <STRONG>REMOVE</STRONG>&nbsp;the server config after a few QRadar samples have been collected. If not removed, it can have serious implications for storage and performance</P> <P>* Review alert samples to see if data exists in just a subset of the types</P> <P>&nbsp;</P> Wed, 06 Sep 2023 20:05:04 GMT RahulVijaydev 2023-09-06T20:05:04Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-api-19-0-and-incoming-mapper-problem/m-p/554881#M2553 <P>Dear all,</P> <P>&nbsp;</P> <P>I am trying to deploy MT XSOAR on a customer and they are using QRadar 7.3.5 with API 19.0. I have noticed that some incidents do not get the same mapping, yet they use Qradar Generic Incoming Mapper and all incidents are set as QRadar generic. </P> <P>&nbsp;</P> <P>For instance, Type A incident gets incidents.label.start_time mapped as incidents.starttime but type B incident does not have this mapping. Both incident types are coming from the same QRadar Instance. Is there any suggestion that you can provide?</P> <P>&nbsp;</P> <P>Also one more thing. I want to check the Incoming Mapper options but whenever I try to pull incidents from QRadar on Incoming Mapper config page, I only get to see 1-2 incidents. Is there a way to fix this? I already applied the server config to increase limit to 100 by adding <STRONG class="userinput"><CODE class="hljs language-lua">mapping.<SPAN class="hljs-built_in">max</SPAN>.pulled.samples</CODE></STRONG> 100 config.</P> <P>&nbsp;</P> <P>Kindly advise.</P> Wed, 23 Aug 2023 16:17:48 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-api-19-0-and-incoming-mapper-problem/m-p/554881#M2553 renaissancefreak 2023-08-23T16:17:48Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-api-19-0-and-incoming-mapper-problem/m-p/554919#M2555 <P>Hello,</P> <P>&nbsp;</P> <P>If you are able to visualize the raw JSON data for both types that you are referring to, do you find the field absent from one of the types, or is it placed under a separate field in both types?</P> <P>&nbsp;</P> <P>The number of samples you can retrieve will depend on how many alerts were available in the lookback period configured in the integration. The numbers can vary with time.</P> <P>&nbsp;</P> Wed, 23 Aug 2023 19:07:51 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-api-19-0-and-incoming-mapper-problem/m-p/554919#M2555 RahulVijaydev 2023-08-23T19:07:51Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-api-19-0-and-incoming-mapper-problem/m-p/554950#M2556 <P>Hello,</P> <P>&nbsp;</P> <P>Both Incident A and B has the same incident.labels.starttime label and context.</P> <P>&nbsp;</P> <P>Incident A has the same label mapped as incident.starttime. Incident B does not have the same context key. They are both mapped as QRadar Generic type and they both use the same Incoming Mapper option and same QRadar instance.</P> <P>&nbsp;</P> <P>I hope I was able to explain the situation better.</P> Wed, 23 Aug 2023 21:57:06 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-api-19-0-and-incoming-mapper-problem/m-p/554950#M2556 renaissancefreak 2023-08-23T21:57:06Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-api-19-0-and-incoming-mapper-problem/m-p/556840#M2608 <P>That makes sense. If the field did not map to one of the incident types, is it possible that that key does not exist for that particular alert, or stored in a different location that the mapper does not read? Happy to jump on a call and take a look, but I would start by doing the following,</P> <P>&nbsp;</P> <P>* Add the server configuration - <STRONG>ingestion.samples.save-mapped&nbsp;</STRONG>and value would be <STRONG>true</STRONG>. This ensures that the raw data from the alert is captured in the incident for us to review.</P> <P>* Ingest a few QRadar alerts. After adding the above config, you should see the ${incident.rawJSON} field populate for every incident you ingest(not limited to one type)</P> <P>* <STRONG>REMOVE</STRONG>&nbsp;the server config after a few QRadar samples have been collected. If not removed, it can have serious implications for storage and performance</P> <P>* Review alert samples to see if data exists in just a subset of the types</P> <P>&nbsp;</P> Wed, 06 Sep 2023 20:05:04 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-api-19-0-and-incoming-mapper-problem/m-p/556840#M2608 RahulVijaydev 2023-09-06T20:05:04Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-api-19-0-and-incoming-mapper-problem/m-p/557032#M2612 <P>Hello,</P> <P>&nbsp;</P> <P>I already solved my both problems. I guess first one was something momentary because it did not occur again.</P> <P>&nbsp;</P> <P>I found the ingestion server config parameter from KBs and applied. Thanks for your help again.</P> Thu, 07 Sep 2023 17:00:58 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-api-19-0-and-incoming-mapper-problem/m-p/557032#M2612 renaissancefreak 2023-09-07T17:00:58Z