IBM QRadar

Use the QRadar integration to query offenses and create Demisto incidents from the offenses.

For more information about filter syntax, see the IBM support documentation .

QRadar Playbook

After you configure the QRadar integration, you can use the QRadar - Get offense correlations playbook. This playbook identifies and extracts additional information about QRadar offenses.

  • All correlations relevant to the offense.
  • Retrieve logs relevant to the correlations. Make sure that in the Should query for the correlations' log task you set the inputs.GetCorrelationLogs parameter to True ). The maximum log count is 20.

Troubleshooting Performance Issues

In some cases, you might encounter performance issues when running QRadar AQL queries from Demisto. This issue is caused by QRadar API limitations. We recommend that you test the QRadar API performance by running several cURL scripts.

1. Creating a search

Run the following command to use the QRadar API to create a new search.
Save the QUERY ID that is attached to the response for the next step.

curl -H "SEC: <API KEY>" -X POST <QRADAR INSTANCE>/api/ariel/searches?query_expression=<QUERY IN URL SAFE ENCODING>
2. Check if the search status is Complete or Executing

Use the following command to use the QRadar API to check the query status (EXECUTE, COMPLETED, or ERROR).

curl -H "SEC: <API KEY>" -X GET <QRADAR INSTANCE>/api/ariel/searches?<QUERY ID>

Configure QRadar on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for QRadar.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
    • Server URL (e.g. https://192.168.0.1 )
    • Username
    • Authentication token
    • Query to fetch offenses
    • Number of offenses to pull per API call
    • Trust any certificate (not secure)
    • Use system proxy settings
    • Fetch incidents
    • Incident type
    • Full Incident Enrichment - when fetching incidents the integration will limit the number of requests it's sending QRadar. As a side effect, this will make the following fields contain their QRadar ids, and not values: source_address_ids, local_destination_address_ids.
  4. Click Test to validate the URLs, token, and connection.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Get offenses: qradar-offenses
  2. Get an offense by offense ID: qradar-offense-by-id
  3. Search QRadar using AQL: qradar-searches
  4. Get a search ID and state: qradar-get-search
  5. Get search results: qradar-get-search-results
  6. Update an offense: qradar-update-offense
  7. List all assets: qradar-get-assets
  8. Get an asset by the asset ID: qradar-get-asset-by-id
  9. Get the reason an offense was closed: qradar-get-closing-reasons
  10. Create a note for an offense: qradar-create-note
  11. Get a note for an offense: qradar-get-note
  12. Get a reference by the reference name: qradar-get-reference-by-name
  13. Create a reference set: qradar-create-reference-set
  14. Delete a reference set: qradar-delete-reference-set
  15. Create a value in a reference set: qradar-create-reference-set-value
  16. Add or update a value in a reference set: qradar-update-reference-set-value
  17. Delete a value from a reference set: qradar-delete-reference-set-value

1. Get offenses


Gets offenses from QRadar.

Base Command

qradar-offenses

Input
Argument Name Description Required
filter Query to filter offenses.
For more information, see the QRadar documenatation .
Optional
fields If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names.
For more information, see the QRadar documentation .
Optional
range Range of results to return, e.g., 0-20 Optional
headers Table headers to use the human readable output (if none provided, will show all table headers) Optional

Context Output
Path Type Description
QRadar.Offense.Followup boolean Offense followup
QRadar.Offense.ID number The ID of the offense
QRadar.Offense.Description string The description of the offense
QRadar.Offense.SourceAddress unknown The source addresses that are associated with the offense
QRadar.Offense.DestinationAddress unknown The local destination addresses that are associated with the offense. If your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query:
SELECT destinationip FROM events WHERE inOffense() GROUP BY destinationip
QRadar.Offense.RemoteDestinationCount unknown The remote destination that are associated with the offense. If this value is greater than 0 that means your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query:
SELECT destinationip FROM events WHERE inOffense() GROUP BY destinationip
QRadar.Offense.StartTime date The time (ISO) when the offense was started.
QRadar.Offense.EventCount number The number of events that are associated with the offense
QRadar.Offense.Magnitude number The magnitude of the offense
QRadar.Offense.LastUpdatedTime date The time (ISO) when the offense was last updated
QRadar.Offense.OffenseType string The offense type (due to API limitations if username and password were not provided, this value will be the id of offense type)

Command Examples
  !qradar-offenses range=0-1 filter="follow_up = false" headers=ID,Magnitude
  !qradar-offenses fields="id,start_time"
Context Example
{
    "QRadar": {
        "Offense": {
            "Followup": false, 
            "Description": "Multiple Login Failures for the Same User\n preceded by shachar_test\n containing Failed Login Attempt\n", 
            "EventCount": 3, 
            "Magnitude": 3, 
            "OffenseType": "Username", 
            "StartTime": "2018-10-16T13:07:36.245000Z", 
            "SourceAddress": [
                "94.188.164.68"
            ], 
            "ID": 78, 
            "LastUpdatedTime": "2018-10-16T13:07:40.675000Z"
        }
    }
}
Human Readable Output

image

2. Get an offense by offense ID


Gets the offense with the matching offense ID from QRadar.

Base Command

qradar-offense-by-id

Input
Argument Name Description Required
offense_id Offense ID Required
filter Query to filter offenses.
For more information, see the QRadar documentation .
Optional
fields If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names.
For more information, see the QRadar documentation .
Optional
headers Table headers to use the human readable output (if none provided, will show all table headers) Optional

Context Output
Path Type Description
QRadar.Offense.Credibility number The credibility of the offense
QRadar.Offense.Relevance number The relevance of the offense
QRadar.Offense.Severity number The severity of the offense
QRadar.Offense.SourceAddress unknown The source addresses that are associated with the offense.
QRadar.Offense.DestinationAddress unknown The local destination addresses that are associated with the offense. If your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query:
SELECT destinationip FROM events WHERE inOffense() GROUP BY destinationip
QRadar.Offense.RemoteDestinationCount unknown The remote destination that are associated with the offense. If this value is greater than 0 that means your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query:
SELECT destinationip FROM events WHERE inOffense() GROUP BY destinationip
QRadar.Offense.AssignedTo string The user the offense is assigned to
QRadar.Offense.StartTime date The time (ISO) when the offense started
QRadar.Offense.ID int The ID of the offense.
QRadar.Offense.DestinationHostname unknown Destination hostname
QRadar.Offense.Description string The description of the offense
QRadar.Offense.EventCount number The number of events that are associated with the offense.
QRadar.Offense.OffenseSource string The source of the offense.
QRadar.Offense.Status string The status of the offense ("OPEN", "HIDDEN", or "CLOSED")
QRadar.Offense.Magnitude number The magnitude of the offense.
QRadar.Offense.ClosingUser string The user that closed the offense
QRadar.Offense.ClosingReason string The offense closing reason.
QRadar.Offense.CloseTime date The time when the offense was closed.
QRadar.Offense.LastUpdatedTime date The time (ISO) when the offense was last updated.
QRadar.Offense.Categories unknown Event categories that are associated with the offense.
QRadar.Offense.FlowCount number The number of flows that are associated with the offense.
QRadar.Offense.FollowUp boolean Offense followup.
QRadar.Offense.OffenseType string A number that represents the offense type
QRadar.Offense.Protected boolean Is the offense protected

Command Example
!qradar-offense-by-id fields=id,magnitude offense_id=78
!qradar-offense-by-id offense_id=78
Context Example
{
    "QRadar": {
        "Offense": {
            "Followup": false, 
            "OffenseSource": "admin", 
            "Description": "Multiple Login Failures for the Same User\n preceded by shachar_test\n containing Failed Login Attempt\n", 
            "EventCount": 3, 
            "Credibility": 3, 
            "Status": "OPEN", 
            "DestinationHostname": [
                "Net-10-172-192.Net_172_16_0_0"
            ], 
            "StartTime": "2018-10-16T13:07:36.245000Z", 
            "Protected": false, 
            "Magnitude": 3, 
            "FlowCount": 0, 
            "OffenseType": "Username", 
            "SourceAddress": [
                "94.188.164.68"
            ], 
            "Relevance": 3, 
            "Severity": 7, 
            "ID": 78, 
            "Categories": [
                "User Login Failure", 
                "SIM User Authentication"
            ], 
            "LastUpdatedTime": "2018-10-16T13:07:40.675000Z"
        }
    }
}
Human Readable Output

image

3. Search QRadar using AQLqradar-searches


Searches in QRadar using AQL. It is highly recommended to use the playbook 'QRadarFullSearch' instead of this command - it will execute the search, and will return the result.

Base Command

qradar-searches

Input
Argument Name Description Required
query_expression The query expressions in AQL.
For more information, see the Ariel Query Language documentation .
Required
headers Table headers to use the human readable output (if none provided, will show all table headers) Optional

Context Output
Path Type Description
QRadar.Search.ID number Search ID
QRadar.Search.State string The state of the search

Command Example
!qradar-searches query_expression="SELECT sourceip AS 'MY Source IPs' FROM events"
Context Example
{
    "QRadar": {
        "Search": {
            "Status": "EXECUTE", 
            "ID": "14b1d702-edba-43e7-b01c-36f8da1ed016"
        }
    }
}
Human Readable Output

image

4. Get a search ID and state


Gets a specific search ID and state.

Base Command

qradar-get-search

Input
Argument Name Description Required
search_id The search ID Required
headers Table headers to use the human readable output (if none provided, will show all table headers) Optional

Context Output
Path Type Description
QRadar.Search.ID number Search ID
QRadar.Search.State string The state of the search

Command Example
!qradar-get-search search_id=14b1d702-edba-43e7-b01c-36f8da1ed016
Context Example
{
    "QRadar": {
        "Search": {
            "Status": "COMPLETED", 
            "ID": "14b1d702-edba-43e7-b01c-36f8da1ed016"
        }
    }
}
Human Readable Output

image

5. Get search results


Gets search results.

Base Command

qradar-get-search-results

Input
Argument Name Description Required
search_id The search ID Required
range Range of results to return, e.g., 0-20 Optional
headers Table headers to use the human readable output (if none provided, will show all table headers) Optional
output_path Replaces the default context output path for the query result (QRadar.Search.Result) .
For example, for output_path=QRadar.Correlations the result will be under the key QRadar.Correlations in the context data.
Optional

Context Output
Path Type Description
QRadar.Search.Result unknown The result of the search

Command Example
!qradar-get-search-results search_id=14b1d702-edba-43e7-b01c-36f8da1ed016 range=0-0
Context Example
{
    "QRadar": {
        "Search": {
            "Result": {
                "events": [
                    {
                        "MY Source IPs": "172.31.25.170"
                    }
                ]
            }
        }
    }
}
Human Readable Output

image

6. Update an offense


Updates an offense.

Base Command

qradar-update-offense

Input
Argument Name Description Required
offense_id The ID of the offense to update Required
protected Set to true to protect the offense Optional
follow_up Set to true to set the follow up flag on the offense Optional
status The new status for the offense Optional
closing_reason_name The name of a closing reason.
You must provide a valid closing_reason_name when you close an offense.
The default closing_reasons are: (1) False-Positive, Tuned (2) Non-Issues (3) Policy Violation
Optional
assigned_to A user to assign the offense to Optional
headers Table headers Optional
fields Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.
For more information, see the QRadar documentation .
Optional

Context Output
Path Type Description
QRadar.Offense.Credibility number The credibility of the offense
QRadar.Offense.Relevance number The relevance of the offense
QRadar.Offense.Severity number The severity of the offense
QRadar.Offense.SourceAddress unknown The source addresses that are associated with the offense.
QRadar.Offense.DestinationAddress unknown The destination addresses that are associated with the offense.
QRadar.Offense.AssignedTo string The user the offense is assigned to.
QRadar.Offense.StartTime date The time (ISO) when the offense was started.
QRadar.Offense.ID int The ID of the offense.
QRadar.Offense.DestinationHostname unknown Destination hostname
QRadar.Offense.Description string The description of the offense.
QRadar.Offense.EventCount number The number of events that are associated with the offense.
QRadar.Offense.OffenseSource string The source of the offense.
QRadar.Offense.Status string The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
QRadar.Offense.Magnitude number The magnitude of the offense.
QRadar.Offense.ClosingUser string The user that closed the offense
QRadar.Offense.ClosingReason string The offense closing reason.
QRadar.Offense.CloseTime date The time when the offense was closed.
QRadar.Offense.LastUpdatedTime date The time (ISO) when the offense was last updated.
QRadar.Offense.Categories unknown Event categories that are associated with the offense.
QRadar.Offense.FlowCount number The number of flows that are associated with the offense.
QRadar.Offense.FollowUp boolean Offense followup.
QRadar.Offense.OffenseType string A number that represents the offense type
QRadar.Offense.Protected boolean Is the offense protected

Command Example
!qradar-update-offense offense_id=78 protected=false
Context Example
{
    "QRadar": {
        "Offense": {
            "Followup": false, 
            "OffenseSource": "admin", 
            "Description": "Multiple Login Failures for the Same User\n preceded by shachar_test\n containing Failed Login Attempt\n", 
            "EventCount": 3, 
            "Credibility": 3, 
            "Status": "OPEN", 
            "DestinationHostname": [
                "Net-10-172-192.Net_172_16_0_0"
            ], 
            "StartTime": "2018-10-16T13:07:36.245000Z", 
            "Protected": false, 
            "Magnitude": 3, 
            "FlowCount": 0, 
            "OffenseType": "Username", 
            "SourceAddress": [
                "94.188.164.68"
            ], 
            "Relevance": 3, 
            "Severity": 7, 
            "ID": 78, 
            "Categories": [
                "User Login Failure", 
                "SIM User Authentication"
            ], 
            "LastUpdatedTime": "2018-10-16T13:07:40.675000Z"
        }
    }
}
Human Readable Output

image

7. List all assets


List all assets found in the model.

Base Command

qradar-get-assets

Input
Argument Name Description Required
filter Query to filter assets.
For more information, see the QRadar documentation .
Optional
fields If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names.
For more information, see the QRadar documentation .
Optional
range Range of results to return. e.g.: 0-20 Optional
headers Table headers to use the human readable output (if none provided, will show all table headers) Optional

Context Output
Path Type Description
QRadar.Assets.ID number The ID of the asset
Endpoint.IPAddress unknown IP address of the asset
QRadar.Assets.Name.Value string Name of the asset
Endpoint.OS number Asset OS
QRadar.Assets.AggregatedCVSSScore.Value number CVSSScore
QRadar.Assets.AggregatedCVSSScore.LastUser string Last user who updated the Aggregated CVSS Score
QRadar.Assets.Weight.Value number Asset weight
QRadar.Assets.Weight.LastUser string Last user who updated the weight
QRadar.Assets.Name.LastUser string Last user who updated the name

Command Example
!qradar-get-assets range=0-1
Context Example
{
    "QRadar": {
        "Asset": {
            "AggregatedCVSSScore": {
                "LastUser": "USER:admin", 
                "Value": "h"
            }, 
            "ID": 1001, 
            "Weight": {
                "LastUser": "USER:admin", 
                "Value": "10"
            }, 
            "Name": {
                "LastUser": "USER:admin", 
                "Value": "Test"
            }
        }
    }, 
    "Endpoint": {
        "OS": "80345", 
        "IPAddress": [
            "10.0.0.1", 
            "10.0.0.2"
        ]
    }
}
Human Readable Output

image

8. Get an asset by the asset ID


Retrieves the asset by ID.

Base Command

qradar-get-asset-by-id

Input
Argument Name Description Required
asset_id The ID of the requested asset. Required

Context Output
Path Type Description
QRadar.Assets.ID number The ID of the asset.
Endpoint.MACAddress unknown Asset MAC address.
Endpoint.IPAddress unknown It's in ip_addresses - value
QRadar.Assets.ComplianceNotes.Value string Compliance notes
QRadar.Assets.CompliancePlan.Value string Compliance plan
QRadar.Assets.CollateralDamagePotential.Value unknown Collateral damage potential
QRadar.Assets.AggregatedCVSSScore.Value number CVSSScore
QRadar.Assets.Name.Value string Name of the asset
QRadar.Assets.GroupName string Name of the asset's group
Endpoint.Domain unknown DNS name
Endpoint.OS unknown Asset OS
QRadar.Assets.Weight.Value number Asset weight
QRadar.Assets.Vulnerabilities.Value unknown Vulnerabilities
QRadar.Assets.Location string Location.
QRadar.Assets.Description string The asset description.
QRadar.Assets.SwitchID number Switch ID
QRadar.Assets.SwitchPort number Switch port.
QRadar.Assets.Name.LastUser string Last user who updated the name
QRadar.Assets.AggregatedCVSSScore.LastUser string Last user who updated the Aggregated CVSS Score
QRadar.Assets.Weight.LastUser string Last user who updated the weight
QRadar.Assets.ComplianceNotes.LastUser string Last user who updated the compliance notes
QRadar.Assets.CompliancePlan.LastUser string Last user who updated the compliance plan
QRadar.Assets.CollateralDamagePotential.LastUser string Last user who updated the collateral damage potential
QRadar.Assets.Vulnerabilities.LastUser string Last user who updated the vulnerabilities

Command Example
!qradar-get-asset-by-id asset_id=1001
Context Example
{
    "QRadar": {
        "Asset": {
            "Name": {
                "LastUser": "USER:admin", 
                "Value": "Test"
            }, 
            "Weight": {
                "LastUser": "USER:admin", 
                "Value": "10"
            }, 
            "SwitchPort": {
                "LastUser": "USER:admin", 
                "Value": "1"
            }, 
            "SwitchID": {
                "LastUser": "USER:admin", 
                "Value": "1"
            }, 
            "AggregatedCVSSScore": {
                "LastUser": "USER:admin", 
                "Value": "h"
            }, 
            "Location": {
                "LastUser": "USER:admin", 
                "Value": "Israel"
            }, 
            "CompliancePlan": {
                "LastUser": "USER:admin", 
                "Value": "Correction Plan"
            }, 
            "ID": 1001, 
            "ComplianceNotes": {
                "LastUser": "USER:admin", 
                "Value": "some notes"
            }
        }
    }, 
    "Endpoint": [
        {
            "OS": "80345", 
            "IPAddress": [
                "10.0.0.1", 
                "10.0.0.2"
            ]
        }, 
        {
            "MACAddress": [
                "Unknown NIC"
            ], 
            "OS": "80345", 
            "IPAddress": [
                "10.0.0.1", 
                "10.0.0.2"
            ]
        }
    ]
Human Readable Output

image

9. Get the reason an offense was closed


Get closing reasons.

Base Command

qradar-get-closing-reasons

Input
Argument Name Description Required
include_reserved If true, reserved closing reasons are included in the response Optional
include_deleted If true, deleted closing reasons are included in the response Optional
filter Query to filter results.
For more information, see the QRadar documentation .
Optional
fields If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names.
For more information, see the QRadar documentation .
Optional
range Range of results to return. e.g.: 0-20 Optional

Context Output
Path Type Description
QRadar.Offense.ClosingReasons.ID number Closing reason ID
QRadar.Offense.ClosingReasons.Name string Closing reason name

Command Example
!qradar-get-closing-reasons include_reserved=false
Context Example
{
    "QRadar": {
        "Offense": {
            "ClosingReasons": [
                {
                    "IsReserved": false, 
                    "ID": 2, 
                    "IsDeleted": false, 
                    "Name": "False-Positive, Tuned"
                }, 
                {
                    "IsReserved": false, 
                    "ID": 1, 
                    "IsDeleted": false, 
                    "Name": "Non-Issue"
                }, 
                {
                    "IsReserved": false, 
                    "ID": 3, 
                    "IsDeleted": false, 
                    "Name": "Policy Violation"
                }, 
                {
                    "IsReserved": false, 
                    "ID": 54, 
                    "IsDeleted": false, 
                    "Name": "Duplicate"
                }
            ]
        }
    }
}
Human Readable Output

image

10. Create a note for an offense


Creates a note on an offense.

Base Command

qradar-create-note

Input
Argument Name Description Required
offense_id The offense ID to add the note to Required
note_text The note text Required
fields If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names.
For more information, see the QRadar documentation .
Optional
headers Table headers to use the human readable output (if none provided, will show all table headers) Optional

Context Output
Path Type Description
QRadar.Note.ID number Note ID
QRadar.Note.Text string Note text
QRadar.Note.CreateTime date The creation time of the note
QRadar.Note.CreatedBy string The user who created the note

Command Example
!qradar-create-note offense_id=78 note_text="Demisto has the best documentation!"
Context Example
{
    "QRadar": {
        "Note": {
            "Text": "Demisto has the best documentation!", 
            "CreateTime": "2018-10-29T13:26:57.579000Z", 
            "CreatedBy": "API_user: admin", 
            "ID": 190
        }
    }
}
Human Readable Output

image

11. Get a note for an offense


Retrieve a note for an offense.

Base Command

qradar-get-note

Input
Argument Name Description Required
offense_id The offense ID to retrieve the note from Required
note_id The note ID Optional
fields If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names.
For more information, see the QRadar documentation .
Optional
headers Table headers to use the human readable output (if none provided, will show all table headers) Optional

Context Output
Path Type Description
QRadar.Note.ID number Note ID
QRadar.Note.Text string Note text
QRadar.Note.CreateTime date The creation time of the note
QRadar.Note.CreatedBy string The user who created the note

Command Example
!qradar-get-note offense_id=78 note_id=190 fields=id,create_time
Context Example
{
    "QRadar": {
        "Note": {
            "Text": "Demisto has the best documentation!", 
            "CreateTime": "2018-10-29T13:26:57.579000Z", 
            "CreatedBy": "API_user: admin", 
            "ID": 190
        }
    }
}
Human Readable Output

image

12. Get a reference by the reference name


Information about the reference set that had data added or updated. This returns information set but not the contained data. This feature is supported from version 8.1 and later.

Base Command

qradar-get-reference-by-name

Input
Argument Name Description Required
ref_name The name of the requested reference. Required
headers Table headers to use the human readable output (if not specified, will show all table headers) Optional
date_value If true, will try to convert the data values to an ISO-8601 string Optional

Context Output
Path Type Description
QRadar.Reference.Name string The name of the reference set
QRadar.Reference.CreationTime date The creation time (ISO) of the reference
QRadar.Reference.ElementType string Reference element type
QRadar.Reference.NumberOfElements number Number of elements
QRadar.Reference.TimeToLive string Reference time to live
QRadar.Reference.TimeoutType string Reference timeout type (UNKNOWN, FIRST_SEEN, LAST_SEEN)
QRadar.Reference.Data unknown Reference set items

Command Example
!qradar-get-reference-by-name ref_name=Date date_value=True
Context Example
{
    "QRadar": {
        "Reference": {
            "Name": "Date", 
            "CreationTime": "2018-11-27T11:34:23.110000Z", 
            "TimeoutType": "UNKNOWN", 
            "ElementType": "DATE", 
            "Data": [
                {
                    "Source": "reference data api", 
                    "Value": "2018-11-27T11:34:23.000000Z", 
                    "LastSeen": "2018-11-27T11:34:59.552000Z", 
                    "FirstSeen": "2018-11-27T11:34:59.552000Z"
                }
            ], 
            "NumberOfElements": 1
        }
    }
}
Human Readable Output

image

13. Create a reference set


Creates a new reference set. If the specified name is already in use, the command will fail.

Base Command

qradar-create-reference-set

Input
Argument Name Description Required
ref_name Reference name to be created Required
element_type The element type for the values allowed in the reference set. The allowed values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE.
Note that date values need to be represented in milliseconds since the Unix Epoch January 1st 1970.
Required
timeout_type The allowed values are "FIRST_SEEN", LAST_SEEN and UNKNOWN. The default value is UNKNOWN. Optional
time_to_live The time to live interval, for example: "1 month" or "5 minutes" Optional

Context Output
Path Type Description
QRadar.Reference.CreationTime date Creation time of the reference set
QRadar.Reference.ElementType string The element type for the values allowed in the reference set. The allowed values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE.
QRadar.Reference.Name string Name of the reference set
QRadar.Reference.NumberOfElements number Number of elements in the created reference set.
QRadar.Reference.TimeoutType string Timeout type of the reference (FIRST_SEEN, LAST_SEEN and UNKNOWN)

Command Example
!qradar-create-reference-set element_type=DATE ref_name=Date
Context Example
{
    "QRadar": {
        "Reference": {
            "TimeoutType": "UNKNOWN", 
            "ElementType": "DATE", 
            "CreationTime": "2018-11-27T11:34:23.000000Z", 
            "Name": "Date", 
            "NumberOfElements": 1
        }
    }
}
Human Readable Output

image

14. Delete a reference


Deletes a reference set corresponding to the name provided.

Base Command

qradar-delete-reference-set

Input
Argument Name Description Required
ref_name The name of reference set to delete Required

Context Output

There is no context output for this command.

Command Example
!qradar-delete-reference-set ref_name=Date
Human Readable Output

image

15. Create a value in a reference set


Creates a value in a reference set.

Base Command

qradar-create-reference-set-value

Input
Argument Name Description Required
ref_name The name of the reference set to add or update a value in Required
value The value to add or update in the reference set.
Date values must be represented in milliseconds since the Unix Epoch January 1 1970.
Required
source An indication of where the data originated.
The default value is 'reference data api'.
Optional
date_value If true, will convert the value argument from the date format
%Y-%m-%dT%H:%M:%S.%f000Z' (e.g., 2018-11-06T08:56:41.000000Z) to epoch.
Optional

Context Output
Path Type Description
QRadar.Reference.Name string The name of the reference set
QRadar.Reference.CreationTime date The creation time (ISO) of the reference
QRadar.Reference.ElementType string Reference element type
QRadar.Reference.NumberOfElements number Number of elements
QRadar.Reference.TimeoutType string Reference timeout type (UNKNOWN, FIRST_SEEN, LAST_SEEN)

Command Example

These command examples will create the same result in the reference set 'Date'.

The first example provides a value in time string format instead of an epoch value.
Reference set of element type 'DATE' has to be populated with epoch values, however, when the argument date_value is set to True , the integration translates the input to epoch value. So even though the input was provided as a time string, the actual value in the reference set will be populated with the equivalent epoch value.

!qradar-create-reference-set-value ref_name=Date value=2018-11-27T11:34:23.110000Z date_value=True
!qradar-create-reference-set-value ref_name=Date value=1543318463000
Context Example
{
    "QRadar": {
        "Reference": {
            "TimeoutType": "UNKNOWN", 
            "ElementType": "DATE", 
            "CreationTime": "2018-11-27T11:34:23.110000Z", 
            "Name": "Date", 
            "NumberOfElements": 1
        }
    }
}
Human Readable Output

image

16. Add or update a value in a reference set


Adds or updates a value in a reference set.

Base Command

qradar-update-reference-set-value

Input
Argument Name Description Required
ref_name The name of the reference set to add or update a value in. Required
value The value to add or update in the reference set. Date values must be represented in milliseconds since the Unix Epoch January 1st 1970. Required
source An indication of where the data originated. The default value is 'reference data api'. Optional
date_value If true, will convert the value argument from the date format
%Y-%m-%dT%H:%M:%S.%f000Z' (e.g., 2018-11-06T08:56:41.000000Z) to epoch.
Optional

Context Output
Path Type Description
QRadar.Reference.Name string The name of the reference set
QRadar.Reference.CreationTime date The creation time (ISO) of the reference
QRadar.Reference.ElementType string Reference element type
QRadar.Reference.NumberOfElements number Number of elements
QRadar.Reference.TimeoutType string Reference timeout type (UNKNOWN, FIRST_SEEN, LAST_SEEN)

Command Example
!qradar-update-reference-set-value ref_name="Documentation Reference" value="Important information" source="Documentation1"
Context Example
{
    "QRadar": {
        "Reference": {
            "TimeoutType": "UNKNOWN", 
            "ElementType": "ALN", 
            "CreationTime": "2018-11-21T11:42:25.492000Z", 
            "Name": "Documentation Reference", 
            "NumberOfElements": 1
        }
    }
}
Human Readable Output

image

17. Delete a value from a reference set


Deletes a value from a reference set.

Base Command

qradar-delete-reference-set-value

Input
Argument Name Description Required
ref_name The name of the reference set to remove a value from Required
value The value to remove from the reference set Required
date_value If true, will convert the value argument from the date format
%Y-%m-%dT%H:%M:%S.%f000Z' (e.g., 2018-11-06T08:56:41.000000Z) to epoch.
Optional

Context Output
Path Type Description
QRadar.Reference.Name string The name of the reference set
QRadar.Reference.CreationTime date The creation time (ISO) of the reference
QRadar.Reference.ElementType string Reference element type
QRadar.Reference.NumberOfElements number Number of elements
QRadar.Reference.TimeoutType string Reference timeout type (UNKNOWN, FIRST_SEEN, LAST_SEEN)

Command Example

These command examples will create the same result in the reference set 'Date'.

The first example provides a value in time string format instead of an epoch value.
Reference set of element type 'DATE' has to be populated with epoch values, however, when the argument date_value is set to True , the integration translates the input to epoch value. So even though the input was provided as a time string, the actual value in the reference set will be populated with the equivalent epoch value.

!qradar-delete-reference-set-value ref_name=Date value=2018-11-27T11:34:23.000000Z date_value=True
!qradar-delete-reference-set-value ref_name=Date value=1543318463000
Context Example
{
    "QRadar": {
        "Reference": {
            "TimeoutType": "UNKNOWN", 
            "ElementType": "DATE", 
            "CreationTime": "2018-11-27T11:34:23.110000Z", 
            "Name": "Date", 
            "NumberOfElements": 0
        }
    }
}
Human Readable Output

image