topic Re: How to Export JSON of a Specific QRadar Offense for XSOAR Use in Cortex XSOAR Discussions

How to Export JSON of a Specific QRadar Offense for XSOAR Use

JesusAngel — Tue, 31 Dec 2024 17:17:12 GMT

Hi everyone,

I’m working on a QRadar integration (v2.5.7) in Cortex XSOAR (v6.12) and need to generate a JSON file for a specific offense to use in several scenarios, such as configuring an incident classifier. For example, in the classifier editor, you can upload a JSON file to analyze the data structure and map the fields correctly.

Here’s the situation:

When I use the "Pull from instance" option with the QRadar v3 integration, XSOAR loads random incident data instead of the one I want.
I want to export the JSON for a specific offense, such as #12 509 Impossible Travel Detected containing Primary Authentication Success.

I’ve tried running !js script="return ${.}" in the War Room of the specific incident, but the JSON it returns contains significantly more fields than the one shown in the classifier editor when pulling data from QRadar.

I’ve also considered using the command:

Additionally, is it possible to extract the exact JSON used by XSOAR when it pulls data for the incident directly from QRadar, without additional fields or transformations?

Thanks in advance for your help!

Re: How to Export JSON of a Specific QRadar Offense for XSOAR Use

JStephan — Tue, 07 Jan 2025 09:26:37 GMT

Hey there,

thats a good question, top of mind and if I understood the question correctly, you could

If the offense is already fetched on XSOAR, simply do a !print of the context data and download the json
Setup a second qradar integration and adjust the query to the offenses you want and use the classifier and mapper from that

Re: How to Export JSON of a Specific QRadar Offense for XSOAR Use

JesusAngel — Tue, 07 Jan 2025 12:07:02 GMT

Hi,

I found this command in the QRadar integration: !get-remote-data id=<offense_id> lastUpdate=<yyyymmdd>.

This command retrieves only the data that XSOAR fetches from QRadar. After fetching the offense, XSOAR enriches it and adds more contextual information.

I need the original data to setup the mapper for QRadar offense to XSOAR fields. I can not use the context data because the mapping is done before the context data is available. Indeed, the mapper does build the context from the QRadar offense fields.