Solved: Error "SOAR data source not supported" when queryi...

phlucas

Hi everyone,

I'm trying to run queries in the Google SecOps (Chronicle) Native Dashboard using SOAR-related data sources such as Cases, Alerts, Playbooks, and Case History, following the official documentation:

However, when running queries like the one below, I get the following error:

Query

match:
   case.status
outcome:
   $count=count(case.name)

Error

{
  "error": {
    "code": 400,
    "message": "generic::invalid_argument: SOAR data source not supported: invalid argument",
    "status": "INVALID_ARGUMENT",
    "details": [
      {
        "@type": "type.googleapis.com/google.rpc.ErrorInfo",
        "domain": "chronicle.googleapis.com"
      }
    ]
  }
}

I've verified that I'm using the documented data sources and fields correctly. 

Is there any prerequisite to enable SOAR data sources in the Native Dashboard? Or is this feature not yet generally available?

Any insights would be appreciated.
Thanks in advance!

_K_O

SOAR data sources aren't available yet - I had the exact same issue a few weeks ago and was asked to speak to our TAM to get access to it once it hits private preview.

Reach out to your account manager and ask to be added once it becomes available.

View solution in original post

_K_O

SOAR data sources aren't available yet - I had the exact same issue a few weeks ago and was asked to speak to our TAM to get access to it once it hits private preview.

Reach out to your account manager and ask to be added once it becomes available.

Error "SOAR data source not supported" when querying Cases and Alerts in Native Dashboard