Technical Tip: How to customize filter query or jinja to fetch offenses from Qradar

jankit6 · ‎11-05-2025

Description

This article describes how to customize filter queries or Jinja templates to fetch particular categories of offenses from QRadar.

Scope

FortiSOAR, FortiSOAR Qradar connector.

Solution

To fetch records from QRadar, the FortiSOAR connector action 'Get Offense' uses the following default query:

{{vars.filter_string}} and (start_time > '{{vars.qradar_epoch}}' or last_updated_time > '{{vars.qradar_epoch}}')

This query automatically appends conditions with logical operators, checking for either the 'start_time' or 'last_updated_time' in addition to the 'filter query' configured by the user during ingestion.

However, in some scenarios, simply updating the 'filter_string' value may not suffice, as the connector always includes the 'start_time' and 'last_updated_time' conditions by default.

Example 1:
If a user wants to fetch all 'open offenses' from QRadar, the resulting query will be:

status="Open" and (start_time > '{{vars.qradar_epoch}}' or last_updated_time > '{{vars.qradar_epoch}}')

Example 2:
If a user needs to fetch 'closed offenses' for a specific 'domain', the query should be:

status="Closed" and domain_id=XX and (close_time > '{{vars.qradar_epoch}}')

Similarly, the query can be modified as needed based on specific use case requirements.

Technical Tip: How to customize filter query or jinja to fetch offenses from Qradar

You are leaving our website