The display name of the node within the flows.

A system-wide unique identifier for this plugin instance used to locate the service.

Configuration option determining the type of operation to perform:

• Find Offenses: Finds offenses matching the supplied configuration.
• Load Offense: Loads an existing offense.
• Update Offense: Updates an existing offense.
• Create Offense Note: Creates a note on an existing offense.
• Load Offense Notes : Load notes for an existing offense.
• Create Offense Closing Reason: Creates an offense closing reason.
• Load Offense Closing Reasons: Loads the list of existing offense closing reasons.
• Load Offense Types: Loads the list of offense types.

Successful results for an action are placed in msg.payload.qradar.[uniqueId].response.

See the node’s documentation for up-to-date links to the QRadar API endpoint documentation.

The ID number of the offense being loaded or updated. When the Offense ID is set to Standard Offense ID Location, the offense ID is obtained from the standard response location in offense.id.

The Filter configuration option must conform to the rules specified in the QRadar filter syntax.

The Filter configuration option supports using mustache variable substitution from the incoming message. Visit the Template Engine and Formatters page to learn more.

To mark an offense as being protected, set this field to a JavaScript truthy value.

To mark an offense as needing follow up, set this field to a JavaScript truthy value.

The Status must evaluate to one of OPEN, HIDDEN, or CLOSED. Any other status value will result in a runtime error.

The Closing Reason ID is evaluated when the status is being set to CLOSED, otherwise it is ignored. When the Closing Reason ID is set to Standard Offense Closing Reason ID Location, the closing reason ID is obtained from the standard response location in either closingReason.id or closingReasons[0].id with preference given to closingReason.id.

The username of the assignee for the offense being updated.

The text for the note to add to an offense. The Note configuration option supports using mustache variable substitution from the incoming message. Visit the Template Engine and Formatters page to learn more.

The closing reason description. The description must be between 5 and 60 characters. The Reason configuration option supports using mustache variable substitution from the incoming message. Visit the Template Engine and Formatters page to learn more.

The Selected Fields configuration option must evaluate to a comma separated list of field names or an array of field names. The field names depend on the returned object type or array element type.

To load reserved closing reasons, set this field to a JavaScript truthy value.

To load deleted closing reasons, set this field to a JavaScript truthy value.

To load all the notes associated with each matching offense, set this field to a JavaScript truthy value.

The Size Limit configuration option determines the maximum number of results to return. If set to Not Specified, no limit is placed in the request to QRadar.

The field to sort matching results by.

The sort order of the matching results.

The display name of the node within the flows.

System-wide unique ID of the plugin instance.

Use Repeat to define how often a query for offenses is triggered. The left inject button on this node is used to immediately trigger the retrieval of offenses. If the repeat interval is set to zero, querying will not occur unless manually triggered using the left inject button.

Limit matches to offenses matching the filter criteria. If no filter is specified, this filter is ignored. The Filter configuration option must conform to the rules specified in the QRadar filter syntax.

Time relative to now when the offense was created. If the value is set to zero, it is ignored during the search. This adds a filter criteria on the start_time.

Time relative to now when the offense was updated. If the value is set to zero, it is ignored during the search. This adds a filter criteria on the last_updated_time.

Limit the returned fields (columns) of the matching offenses. If no fields are specified, this configuration option is ignored. Specify fields as a comma separated list of fields found in the Offense object.

The maximum number of offenses to find during when this node is triggered. Each offense is sent through the flow as an individual message.

Determine the sort field of the matching offenses. If no field name is specified, this configuration option is ignored. Specify a field from the sortable list of fields found in the Offense object.

The sort order of the matching offenses.

This node supports five modes for aggregating incidents.

• None: Never aggregate any incidents (default).
• Field Match: For a given source field of a message (or jsonata query of the message), aggregate together all messages whose field value exactly matches a previously checked message.
• Exact Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages whose field exactly matches a given value. One can specify multiple values. Each value specifies a separate grouping of incidents. Useful to aggregate messages with known content.
• Keyword Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages with a given keyword appearing as a word within the field. One can specify multiple keywords. Each keyword specifies a separate grouping of incidents. An incident is grouped with the first keyword it matches. Useful to aggregate messages with somewhat known content.
• Fuzzy Match: For a given source field of the message (or jsonata query of the message), aggregate together all messages for which this field is sufficiently similar to the message which started the incident. With this method, one can specify a similarity threshold. Messages matched with the fuzzy matcher get a similarity attribute added to the message which can be inspected to assist when establishing a threshold.