PostEvent

The PostEvent action posts an event to the QRadar event pipeline, which allows the event to be parsed, correlated, and stored.

The following table shows the parameters for the PostEvent action.

Table 1. PostEvent action parameters
Name Data type Required Notes
path JPath Yes The path of the element to the post.
encoding String No

The encoding of the event.

Possible values:

  • UTF-8
  • BASE64
  • HEX

The default is UTF-8.

source String Yes

(Optional field for V2_1)

The source (host) of the event.

The source value is used to route the event within the event pipeline to the correct log source. The event is matched to the log source identifier of an existing log source.

For V1 and V2, if no log source exists with a matching log source identifier, the event is stored without parsing and a copy of the event is sent to the log source autodetection engine.

For V2_1, if no source attribute is defined in the workflow, the value of the log source identifier is used as the event generation source.

If a log source is autodetected from the event, it is created with its log source identifier set to the source value.

XML Example:

For V1 and V2

This action posts the array of strings that are stored in the State at /events into the QRadar event pipeline as a series of events. If a log source has a log source identifier that matches the value that is stored in /host, the events are routed to that log source.

<PostEvents path="/events" host="${/host}" >
For V2_1
This action posts the array of strings that are stored in the State at /events into the QRadar event pipeline as a series of events.
<PostEvents path=”/event”>