This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to Export JSON of a Specific QRadar Offense for XSOAR Use

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to Export JSON of a Specific QRadar Offense for XSOAR Use

JesusAngel
L1 Bithead

‎12-31-2024 09:17 AM

 

Hi everyone,

 

I’m working on a QRadar integration (v2.5.7) in Cortex XSOAR (v6.12) and need to generate a JSON file for a specific offense to use in several scenarios, such as configuring an incident classifier. For example, in the classifier editor, you can upload a JSON file to analyze the data structure and map the fields correctly.

Here’s the situation:

 

  • When I use the "Pull from instance" option with the QRadar v3 integration, XSOAR loads random incident data instead of the one I want.
  • I want to export the JSON for a specific offense, such as #12 509 Impossible Travel Detected containing Primary Authentication Success.

I’ve tried running !js script="return ${.}" in the War Room of the specific incident, but the JSON it returns contains significantly more fields than the one shown in the classifier editor when pulling data from QRadar.

I’ve also considered using the command:

 

!get-remote-data id=<offense_id> lastUpdate=<date_str>
 
to fetch the JSON for this specific offense. Is this the right approach to generate the JSON, or is there a better method?

 

Additionally, is it possible to extract the exact JSON used by XSOAR when it pulls data for the incident directly from QRadar, without additional fields or transformations?

 

Thanks in advance for your help!

0 Likes Likes
3 REPLIES 3

JStephan
L3 Networker

‎01-07-2025 01:26 AM

Hey there,

thats a good question, top of mind and if I understood the question correctly, you could

 

  1. If the offense is already fetched on XSOAR, simply do a !print of the context data and download the json
  2. Setup a second qradar integration and adjust the query to the offenses you want and use the classifier and mapper from that 
0 Likes Likes

JesusAngel
L1 Bithead
In response to JStephan

‎01-07-2025 04:07 AM

Hi,

 

I found this command in the QRadar integration: !get-remote-data id=<offense_id> lastUpdate=<yyyymmdd>.

 

This command retrieves only the data that XSOAR fetches from QRadar. After fetching the offense, XSOAR enriches it and adds more contextual information.

 

I need the original data to setup the mapper for QRadar offense to XSOAR fields. I can not use the context data because the mapping is done before the context data is available. Indeed, the mapper does build the context from the QRadar offense fields.

 

 

Regards,

0 Likes Likes

JStephan
L3 Networker

‎01-07-2025 05:44 AM

Well, in that case option 2 would also do the trick.

Also, but not sure, can you download the JSON directly from QRadar?

0 Likes Likes
  • 340 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks