Skip to main content

QRadarCorrelationLog

This Playbook is part of the IBM QRadar Pack.#

Deprecated

Use the "QRadar - Get Offense Logs"\ \ playbook instead.

Deprecated. Use the "QRadar - Get Offense Logs" playbook instead.

This playbook retrieves the correlation logs of multiple QIDs.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • QRadarFullSearch

Integrations#

This playbook does not use any integrations.

Scripts#

  • ChangeContext

Commands#

This playbook does not use any commands.

Playbook Inputs#

NameDescriptionDefault ValueRequired
QIDThe correlation QID.Required
OffenseStartTimeThe offense start time.Required
OffenseIDThe offense ID.Required
additionalQueryFieldsAdd more fields for basic query (a list with comma separators)Optional
GetOnlyCREEventsIf value "OnlyCRE" get only events made by CRE.
Values can be "OnlyCRE", "OnlyNotCRE", "All".OnlyCREOptional
MaxLogsCountMaximum number of log entires to query from QRadar (default: 20)20Optional

Playbook Outputs#

PathDescriptionType
QRadar.LogLogs of QRadar correlationsunknown

Edit this page
Report an Issue