Submits a Qradar AQL query on a Qradar database.

Use the “Retrieve Ariel Search Result” action to retrieve the results.

External Documentation

To learn more, visit the QRadar documentation.

Parameters

ParameterDescription
Query ExpressionQuery in AQL syntax to perform.

Example Output

{
	"cursor_id": "s16",
	"compressed_data_file_count": 0,
	"compressed_data_total_size": 0,
	"data_file_count": 5470,
	"data_total_size": 67183115,
	"index_file_count": 0,
	"index_total_size": 0,
	"processed_record_count": 1256462,
	"error_messages": [
		{
			"code": "String",
			"contexts": [
				"String"
			],
			"message": "String",
			"severity": "String <one of: INFO, WARN, ERROR>"
		}
	],
	"desired_retention_time_msec": 86400000,
	"progress": 46,
	"progress_details": [
		0,
		0,
		0,
		0,
		66957,
		652657,
		76594,
		89809,
		86032,
		107729
	],
	"query_execution_time": 1480,
	"query_string": "SELECT sourceip, starttime, qid, sourceport  from events into s16 where sourceip in (select destinationip from events) parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
	"record_count": 1240923,
	"save_results": false,
	"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>",
	"snapshot": {
		"events": [
			{
				"sourceip": "10.100.65.20",
				"starttime": 1467049610018,
				"qid": 10034,
				"sourceport": 13675
			},
			{
				"sourceip": "10.100.100.121",
				"starttime": 1467049610019,
				"qid": 20034,
				"sourceport": 80
			}
		]
	},
	"subsearch_ids": [
		"sub_id_1"
	],
	"search_id": "s16"
}

Workflow Library Example

Perform Ariel Search with Qradar and Send Results Via Email

Preview this Workflow on desktop