Polling job for search results, not just search completion

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Polling job for search results, not just search completion

L1 Bithead

I'd like to take the generic polling concept and make it a little more specific, but I'm coming up short.  I'm doing a QRadar search (although I suspect Splunk or anything else would be very similar.)  The QRadarFullSearch playbook will poll and wait for the search to finish, and that has worked great so far for what it is.  But the search can finish while not actually finding anything.  Can I somehow set some loops and polling to do the search, check for results, and then kick off a new search if no results were found?  I would still like to use the timeout value so I'm not creating an infinite loop situation.

1 accepted solution

Accepted Solutions

L1 Bithead

I received an answer from my resident engineer.  The QRadarFullSearch sub-playbook that I'm calling can be set up with a built-in loop to check for the presence of results.  After the playbook finishes (meaning the search has completed) it can be repeated if no results were found, with X number of seconds between runs and up to N number of retries.  I've only ever used the 'for-each input' loop criterion...I didn't realize you could make it so much smarter!

 

I continue to be amazed every day at the things XSOAR can do.

View solution in original post

2 REPLIES 2

L3 Networker

This could be done in a Playbook, or, study teh code in QRadar and create an automation script "wrapper" for the command. In essence, the script would perform the search and return a ScheduledCommand object. This causes it to re-schedule for the next run and when you finally do receive the results (or lack there of) you could optionally change the search criteria and perform the same script again.

 

If you kept the option to achieve this in an automation script, the ScheduledCommand can be used (even with altered arguments) and be kept within your first defined timeout.

L1 Bithead

I received an answer from my resident engineer.  The QRadarFullSearch sub-playbook that I'm calling can be set up with a built-in loop to check for the presence of results.  After the playbook finishes (meaning the search has completed) it can be repeated if no results were found, with X number of seconds between runs and up to N number of retries.  I've only ever used the 'for-each input' loop criterion...I didn't realize you could make it so much smarter!

 

I continue to be amazed every day at the things XSOAR can do.

  • 1 accepted solution
  • 3158 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!