Bug in native playbook 'QRadarFullSearch'

adocasar — Wed, 08 Nov 2023 15:53:07 GMT

Hello,

XSOAR's native playbook named 'QRadarFullSearch' has a task called 'Get QRadar search results'. Everytime we run this task, it fails with the following error log:

Failed to execute qradar-get-search-results command.
Error:
Traceback (most recent call last):
File "<string>", line 15863, in main
File "<string>", line 14390, in qradar_search_results_get_command
File "<string>", line 12178, in search_results_get
File "<string>", line 11998, in http_request
File "<string>", line 9173, in _http_request
File "<string>", line 12041, in qradar_error_handler
DemistoException: Error in API call [404] - 404
The search "3ffa6801-025a-4e74-a63d-c0d916b57d93" is still being processed. Results are not yet available.

After some investigation, we found out that the problem is related with the task 'Is search completed?' which basically consists on the following logic (see attachment for evidence):

QRadar.Search.Status Equals (String) COMPLETED

Somehow, this comparison is returning TRUE under the following condition (see attachment for evidence):

Label: yes, Condition: [EXECUTE Equals COMPLETED]

This is causing the playbook the retrieve results of a search that is on an 'EXECUTE' status and therefore causing the failure of the playbook.

Could you please check this internally?

Regards.

Re: Bug in native playbook 'QRadarFullSearch'

AbelSantamarina — Wed, 13 Dec 2023 20:03:01 GMT

@adocasar,

From what you are describing, this looks like this is an issue with our QRadarFullSearch out of the box playbook, part of the QRadar Content Pack.

Please open up a support case with our support team and someone will be assisting you with this problem.

Thank you.

topic Re: Bug in native playbook 'QRadarFullSearch' in Cortex XSOAR Discussions

Bug in native playbook 'QRadarFullSearch'

Re: Bug in native playbook 'QRadarFullSearch'