https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-integration-magnitude-query-not-returning-expected/m-p/477262#M683 <P>Can you kindly share the integration instance settings? namely the query used for fetch. If set correctly, XSOAR should not be returning any incidents from the API with 'magnitudes' under threshold - used to filter 'fetch'<BR /><BR />I also suggest test query in Qradar API playground to ensure it performs as expected. If it doesn't, cross reference the search/query syntax with Qradar documentation, test again Qradar API playground, then update you integration instance in XSOAR.<BR /><BR />Hope this helps.</P> Thu, 31 Mar 2022 14:43:04 GMT jgomes 2022-03-31T14:43:04Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-integration-magnitude-query-not-returning-expected/m-p/476980#M680 <P>Got a QRadar integration.&nbsp;<BR />It's suppose to pull back offenses with magnitude &gt; 4</P><P>&nbsp;</P><P>However, our metrics are much higher than what the client expects.<BR /><BR />When reviewing this case got pulled into XSOAR:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jboyd98_0-1648657803907.png" style="width: 572px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/39929i21E82625B56D0A8E/image-dimensions/572x79/is-moderation-mode/true?v=v2" width="572" height="79" role="button" title="jboyd98_0-1648657803907.png" alt="jboyd98_0-1648657803907.png" /></span></P><P><BR /><BR />However, when exporting QRadar, the incident has the following:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jboyd98_1-1648657953036.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/39930iBEA610A471851EC3/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jboyd98_1-1648657953036.png" alt="jboyd98_1-1648657953036.png" /></span></P><P>&nbsp;</P><P>In the second column you can see magnitude has a value of 2; so in theory I don't think this should have ever created an incident within XSOAR.<BR /><BR />Any thoughts?<BR /><BR />Thanks!</P> Wed, 30 Mar 2022 16:33:43 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-integration-magnitude-query-not-returning-expected/m-p/476980#M680 jboyd98 2022-03-30T16:33:43Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-integration-magnitude-query-not-returning-expected/m-p/477262#M683 <P>Can you kindly share the integration instance settings? namely the query used for fetch. If set correctly, XSOAR should not be returning any incidents from the API with 'magnitudes' under threshold - used to filter 'fetch'<BR /><BR />I also suggest test query in Qradar API playground to ensure it performs as expected. If it doesn't, cross reference the search/query syntax with Qradar documentation, test again Qradar API playground, then update you integration instance in XSOAR.<BR /><BR />Hope this helps.</P> Thu, 31 Mar 2022 14:43:04 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-integration-magnitude-query-not-returning-expected/m-p/477262#M683 jgomes 2022-03-31T14:43:04Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-integration-magnitude-query-not-returning-expected/m-p/477296#M684 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jboyd98_0-1648741397540.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/39964i4FFA68F8DF719289/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jboyd98_0-1648741397540.png" alt="jboyd98_0-1648741397540.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="jboyd98_1-1648741429034.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/39965i51CBF1F87CA0EBDC/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="jboyd98_1-1648741429034.png" alt="jboyd98_1-1648741429034.png" /></span></P><P>&nbsp;</P><P>Whats confusing is if look at example incident&nbsp;<SPAN class="">201769</SPAN>, the magnitude is recorded as <STRONG>5</STRONG> under the incident's QRadar Offense tab.<BR /><BR />Then if I go run the following in the playground it shows a magnitude of <STRONG>2</STRONG>.</P><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV class=""><DIV><DIV class=""><DIV><DIV class=""><SPAN class="">!qradar-offenses-list offense_id=201769 fields=magnitude</SPAN></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV></DIV><DIV class=""><DIV class=""><DIV class=""><TABLE><TBODY><TR><TD>Magnitude</TD><TD><SPAN class="">2</SPAN></TD></TR></TBODY></TABLE><BR />Not familiar with QRadar; can a user modify the magnitude of an offense?<BR />Only thing I can think is that we're recording the incident when it's created and then the magnitude is changing on the qradar side.</DIV><DIV class="">Though xsoar recorded 400+ incidents for March, and QRadar only has 13 offenses that are &gt;4 in March.&nbsp; Client says they're not changing.<BR /><BR /><BR /></DIV></DIV></DIV> Thu, 31 Mar 2022 15:53:22 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-integration-magnitude-query-not-returning-expected/m-p/477296#M684 jboyd98 2022-03-31T15:53:22Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-integration-magnitude-query-not-returning-expected/m-p/477746#M685 <P>Can a user modify the&nbsp; magnitude of an offense?</P><P>No, This is a calculation based on the Severity, Relevance and Credibility.&nbsp;&nbsp;</P><P>&nbsp;</P><P>From the details you have given so far, there is a discrepancy between Q and XSOAR. What you can do here is to use the same query in the QR interactive API guide and find out if the returned result is the same if it is this has to be raised with QR support.</P><P>&nbsp;</P><P>Query Examples&nbsp; :&nbsp;<A href="https://www.ibm.com/docs/en/qsip/7.3.3?topic=api-filter-syntax" target="_blank">https://www.ibm.com/docs/en/qsip/7.3.3?topic=api-filter-syntax</A></P><P>API Access guide : <A href="https://www.ibm.com/docs/en/qradar-on-cloud?topic=api-accessing-interactive-documentation-page" target="_blank">https://www.ibm.com/docs/en/qradar-on-cloud?topic=api-accessing-interactive-documentation-page</A>&nbsp;</P> Sun, 03 Apr 2022 08:19:40 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/qradar-integration-magnitude-query-not-returning-expected/m-p/477746#M685 vidurasupun 2022-04-03T08:19:40Z