IBM QRadar (Deprecated)
This Integration is part of the IBM QRadar Pack.#
Deprecated
Use IBM QRadar v2 or IBM QRadar v3 instead.
Deprecated. Use IBM QRadar v2 or IBM QRadar v3 instead. This integration was integrated and tested with QRadar v7.3.1 and API versions - 8.0, 8.1, and 9.0 . The QRadar integration is deprecated from QRadar v7.3.2 Patch 2 . If you're using a later version of QRadar, make sure you use the QRadar v2 integration.
Use the QRadar integration to query offenses and create Cortex XSOAR incidents from the offenses.
For more information about filter syntax, see the IBM support documentation .
QRadar Playbook
After you configure the QRadar integration, you can use the QRadar - Get offense correlations playbook. This playbook identifies and extracts additional information about QRadar offenses.
- All correlations relevant to the offense.
-
Retrieve logs relevant to the correlations. Make sure that in the
Should query for the correlations' log
task you set the
inputs.GetCorrelationLogsparameter toTrue). The maximum log count is 20.
Troubleshooting Performance Issues
In some cases, you might encounter performance issues when running QRadar AQL queries from Cortex XSOAR. This issue is caused by QRadar API limitations. We recommend that you test the QRadar API performance by running several cURL scripts.
1. Creating a search
Run the following command to use the QRadar API to create a new search.
Save the QUERY ID that is attached to the response for the next step.
curl -H "SEC: <API KEY>" -X POST <QRADAR INSTANCE>/api/ariel/searches?query_expression=<QUERY IN URL SAFE ENCODING>
2. Check if the search status is Complete or Executing
Use the following command to use the QRadar API to check the query status (EXECUTE, COMPLETED, or ERROR).
curl -H "SEC: <API KEY>" -X GET <QRADAR INSTANCE>/api/ariel/searches?<QUERY ID>
Configure QRadar on Cortex XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for QRadar.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Server URL (e.g. https://192.168.0.1 )
- Username
- Authentication token
- Query to fetch offenses
- Number of offenses to pull per API call
- Trust any certificate (not secure)
- Use system proxy settings
- Fetch incidents
- Incident type
- Full Incident Enrichment - when fetching incidents the integration will limit the number of requests it's sending QRadar. As a side effect, this will make the following fields contain their QRadar ids, and not values: source_address_ids, local_destination_address_ids.
- Number of addresses to enrich per API call
- Click Test to validate the URLs, token, and connection.
Fetch incidents:
You can apply additional (optional) filters for the fetch-incident query using the
Query to fetch offenses
integration parameter. For more information on how to use the filter syntax, see the
QRadar filter documentation
and
QRadar offense documentation
.
- Full Incident Enrichment - Clear this checkbox to disable QRadar offense enrichment performed in fetch-incidents. This might help if you encounter a timeout while fetching new incidents.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Get offenses: qradar-offenses
- Get an offense by offense ID: qradar-offense-by-id
- Search QRadar using AQL: qradar-searches
- Get a search ID and state: qradar-get-search
- Get search results: qradar-get-search-results
- Update an offense: qradar-update-offense
- List all assets: qradar-get-assets
- Get an asset by the asset ID: qradar-get-asset-by-id
- Get the reason an offense was closed: qradar-get-closing-reasons
- Create a note for an offense: qradar-create-note
- Get a note for an offense: qradar-get-note
- Get a reference by the reference name: qradar-get-reference-by-name
- Create a reference set: qradar-create-reference-set
- Delete a reference set: qradar-delete-reference-set
- Create a value in a reference set: qradar-create-reference-set-value
- Add or update a value in a reference set: qradar-update-reference-set-value
- Delete a value from a reference set: qradar-delete-reference-set-value
1. Get offenses
Gets offenses from QRadar.
Base Command
qradar-offenses
Input
| Argument Name | Description | Required |
|---|---|---|
| filter |
Query to filter offenses.
For more information, see the QRadar documenatation . |
Optional |
| fields |
If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names.
For more information, see the QRadar documentation . |
Optional |
| range | Range of results to return, e.g., 0-20 | Optional |
| headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Offense.Followup | boolean | Offense followup |
| QRadar.Offense.ID | number | The ID of the offense |
| QRadar.Offense.Description | string | The description of the offense |
| QRadar.Offense.SourceAddress | unknown | The source addresses that are associated with the offense |
| QRadar.Offense.DestinationAddress | unknown |
The local destination addresses that are associated with the offense. If your offense has a remote destination, you will need to use
QRadarFullSearch
playbook with the following query:
SELECT destinationip FROM events WHERE inOffense() GROUP BY destinationip |
| QRadar.Offense.RemoteDestinationCount | unknown |
The remote destination that are associated with the offense. If this value is greater than 0 that means your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query:
SELECT destinationip FROM events WHERE inOffense() GROUP BY destinationip |
| QRadar.Offense.StartTime | date | The time (ISO) when the offense was started. |
| QRadar.Offense.EventCount | number | The number of events that are associated with the offense |
| QRadar.Offense.Magnitude | number | The magnitude of the offense |
| QRadar.Offense.LastUpdatedTime | date | The time (ISO) when the offense was last updated |
| QRadar.Offense.OffenseType | string | The offense type (due to API limitations if username and password were not provided, this value will be the id of offense type) |
Command Examples
!qradar-offenses range=0-1 filter="follow_up = false" headers=ID,Magnitude
!qradar-offenses fields="id,start_time"
Context Example
{
"QRadar": {
"Offense": {
"Followup": false,
"Description": "Multiple Login Failures for the Same User\n preceded by shachar_test\n containing Failed Login Attempt\n",
"EventCount": 3,
"Magnitude": 3,
"OffenseType": "Username",
"StartTime": "2018-10-16T13:07:36.245000Z",
"SourceAddress": [
"94.188.164.68"
],
"ID": 78,
"LastUpdatedTime": "2018-10-16T13:07:40.675000Z"
}
}
}
Human Readable Output
2. Get an offense by offense ID
Gets the offense with the matching offense ID from QRadar.
Base Command
qradar-offense-by-id
Input
| Argument Name | Description | Required |
|---|---|---|
| offense_id | Offense ID | Required |
| filter |
Query to filter offenses.
For more information, see the QRadar documentation . |
Optional |
| fields |
If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names.
For more information, see the QRadar documentation . |
Optional |
| headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Offense.Credibility | number | The credibility of the offense |
| QRadar.Offense.Relevance | number | The relevance of the offense |
| QRadar.Offense.Severity | number | The severity of the offense |
| QRadar.Offense.SourceAddress | unknown | The source addresses that are associated with the offense. |
| QRadar.Offense.DestinationAddress | unknown |
The local destination addresses that are associated with the offense. If your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query:
SELECT destinationip FROM events WHERE inOffense() GROUP BY destinationip |
| QRadar.Offense.RemoteDestinationCount | unknown |
The remote destination that are associated with the offense. If this value is greater than 0 that means your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query:
SELECT destinationip FROM events WHERE inOffense() GROUP BY destinationip |
| QRadar.Offense.AssignedTo | string | The user the offense is assigned to |
| QRadar.Offense.StartTime | date | The time (ISO) when the offense started |
| QRadar.Offense.ID | int | The ID of the offense. |
| QRadar.Offense.DestinationHostname | unknown | Destination hostname |
| QRadar.Offense.Description | string | The description of the offense |
| QRadar.Offense.EventCount | number | The number of events that are associated with the offense. |
| QRadar.Offense.OffenseSource | string | The source of the offense. |
| QRadar.Offense.Status | string | The status of the offense ("OPEN", "HIDDEN", or "CLOSED") |
| QRadar.Offense.Magnitude | number | The magnitude of the offense. |
| QRadar.Offense.ClosingUser | string | The user that closed the offense |
| QRadar.Offense.ClosingReason | string | The offense closing reason. |
| QRadar.Offense.CloseTime | date | The time when the offense was closed. |
| QRadar.Offense.LastUpdatedTime | date | The time (ISO) when the offense was last updated. |
| QRadar.Offense.Categories | unknown | Event categories that are associated with the offense. |
| QRadar.Offense.FlowCount | number | The number of flows that are associated with the offense. |
| QRadar.Offense.FollowUp | boolean | Offense followup. |
| QRadar.Offense.OffenseType | string | A number that represents the offense type |
| QRadar.Offense.Protected | boolean | Is the offense protected |
Command Example
!qradar-offense-by-id fields=id,magnitude offense_id=78
!qradar-offense-by-id offense_id=78
Context Example
{
"QRadar": {
"Offense": {
"Followup": false,
"OffenseSource": "admin",
"Description": "Multiple Login Failures for the Same User\n preceded by shachar_test\n containing Failed Login Attempt\n",
"EventCount": 3,
"Credibility": 3,
"Status": "OPEN",
"DestinationHostname": [
"Net-10-172-192.Net_172_16_0_0"
],
"StartTime": "2018-10-16T13:07:36.245000Z",
"Protected": false,
"Magnitude": 3,
"FlowCount": 0,
"OffenseType": "Username",
"SourceAddress": [
"94.188.164.68"
],
"Relevance": 3,
"Severity": 7,
"ID": 78,
"Categories": [
"User Login Failure",
"SIM User Authentication"
],
"LastUpdatedTime": "2018-10-16T13:07:40.675000Z"
}
}
}
Human Readable Output
3. Search QRadar using AQLqradar-searches
Searches in QRadar using AQL. It is highly recommended to use the playbook 'QRadarFullSearch' instead of this command - it will execute the search, and will return the result.
Base Command
qradar-searches
Input
| Argument Name | Description | Required |
|---|---|---|
| query_expression |
The query expressions in AQL.
For more information, see the Ariel Query Language documentation . |
Required |
| headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Search.ID | number | Search ID |
| QRadar.Search.State | string | The state of the search |
Command Example
!qradar-searches query_expression="SELECT sourceip AS 'MY Source IPs' FROM events"
Context Example
{
"QRadar": {
"Search": {
"Status": "EXECUTE",
"ID": "14b1d702-edba-43e7-b01c-36f8da1ed016"
}
}
}
Human Readable Output
4. Get a search ID and state
Gets a specific search ID and state.
Base Command
qradar-get-search
Input
| Argument Name | Description | Required |
|---|---|---|
| search_id | The search ID | Required |
| headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Search.ID | number | Search ID |
| QRadar.Search.State | string | The state of the search |
Command Example
!qradar-get-search search_id=14b1d702-edba-43e7-b01c-36f8da1ed016
Context Example
{
"QRadar": {
"Search": {
"Status": "COMPLETED",
"ID": "14b1d702-edba-43e7-b01c-36f8da1ed016"
}
}
}
Human Readable Output
5. Get search results
Gets search results.
Base Command
qradar-get-search-results
Input
| Argument Name | Description | Required |
|---|---|---|
| search_id | The search ID | Required |
| range | Range of results to return, e.g., 0-20 | Optional |
| headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
| output_path |
Replaces the default context output path for the query result
(QRadar.Search.Result)
.
For example, for
output_path=QRadar.Correlations
the result will be under the key
QRadar.Correlations
in the context data.
|
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Search.Result | unknown | The result of the search |
Command Example
!qradar-get-search-results search_id=14b1d702-edba-43e7-b01c-36f8da1ed016 range=0-0
Context Example
{
"QRadar": {
"Search": {
"Result": {
"events": [
{
"MY Source IPs": "172.31.25.170"
}
]
}
}
}
}
Human Readable Output
6. Update an offense
Updates an offense.
Base Command
qradar-update-offense
Input
| Argument Name | Description | Required |
|---|---|---|
| offense_id | The ID of the offense to update | Required |
| protected | Set to true to protect the offense | Optional |
| follow_up | Set to true to set the follow up flag on the offense | Optional |
| status | The new status for the offense | Optional |
| closing_reason_name |
The name of a closing reason.
You must provide a valid closing_reason_name when you close an offense. The default closing_reasons are: (1) False-Positive, Tuned (2) Non-Issues (3) Policy Violation |
Optional |
| assigned_to | A user to assign the offense to | Optional |
| headers | Table headers | Optional |
| fields |
Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.
For more information, see the QRadar documentation . |
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Offense.Credibility | number | The credibility of the offense |
| QRadar.Offense.Relevance | number | The relevance of the offense |
| QRadar.Offense.Severity | number | The severity of the offense |
| QRadar.Offense.SourceAddress | unknown | The source addresses that are associated with the offense. |
| QRadar.Offense.DestinationAddress | unknown | The destination addresses that are associated with the offense. |
| QRadar.Offense.AssignedTo | string | The user the offense is assigned to. |
| QRadar.Offense.StartTime | date | The time (ISO) when the offense was started. |
| QRadar.Offense.ID | int | The ID of the offense. |
| QRadar.Offense.DestinationHostname | unknown | Destination hostname |
| QRadar.Offense.Description | string | The description of the offense. |
| QRadar.Offense.EventCount | number | The number of events that are associated with the offense. |
| QRadar.Offense.OffenseSource | string | The source of the offense. |
| QRadar.Offense.Status | string | The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED". |
| QRadar.Offense.Magnitude | number | The magnitude of the offense. |
| QRadar.Offense.ClosingUser | string | The user that closed the offense |
| QRadar.Offense.ClosingReason | string | The offense closing reason. |
| QRadar.Offense.CloseTime | date | The time when the offense was closed. |
| QRadar.Offense.LastUpdatedTime | date | The time (ISO) when the offense was last updated. |
| QRadar.Offense.Categories | unknown | Event categories that are associated with the offense. |
| QRadar.Offense.FlowCount | number | The number of flows that are associated with the offense. |
| QRadar.Offense.FollowUp | boolean | Offense followup. |
| QRadar.Offense.OffenseType | string | A number that represents the offense type |
| QRadar.Offense.Protected | boolean | Is the offense protected |
Command Example
!qradar-update-offense offense_id=78 protected=false
Context Example
{
"QRadar": {
"Offense": {
"Followup": false,
"OffenseSource": "admin",
"Description": "Multiple Login Failures for the Same User\n preceded by shachar_test\n containing Failed Login Attempt\n",
"EventCount": 3,
"Credibility": 3,
"Status": "OPEN",
"DestinationHostname": [
"Net-10-172-192.Net_172_16_0_0"
],
"StartTime": "2018-10-16T13:07:36.245000Z",
"Protected": false,
"Magnitude": 3,
"FlowCount": 0,
"OffenseType": "Username",
"SourceAddress": [
"94.188.164.68"
],
"Relevance": 3,
"Severity": 7,
"ID": 78,
"Categories": [
"User Login Failure",
"SIM User Authentication"
],
"LastUpdatedTime": "2018-10-16T13:07:40.675000Z"
}
}
}
Human Readable Output
7. List all assets
List all assets found in the model.
Base Command
qradar-get-assets
Input
| Argument Name | Description | Required |
|---|---|---|
| filter |
Query to filter assets.
For more information, see the QRadar documentation . |
Optional |
| fields |
If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names.
For more information, see the QRadar documentation . |
Optional |
| range | Range of results to return. e.g.: 0-20 | Optional |
| headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Assets.ID | number | The ID of the asset |
| Endpoint.IPAddress | unknown | IP address of the asset |
| QRadar.Assets.Name.Value | string | Name of the asset |
| Endpoint.OS | number | Asset OS |
| QRadar.Assets.AggregatedCVSSScore.Value | number | CVSSScore |
| QRadar.Assets.AggregatedCVSSScore.LastUser | string | Last user who updated the Aggregated CVSS Score |
| QRadar.Assets.Weight.Value | number | Asset weight |
| QRadar.Assets.Weight.LastUser | string | Last user who updated the weight |
| QRadar.Assets.Name.LastUser | string | Last user who updated the name |
Command Example
!qradar-get-assets range=0-1
Context Example
{
"QRadar": {
"Asset": {
"AggregatedCVSSScore": {
"LastUser": "USER:admin",
"Value": "h"
},
"ID": 1001,
"Weight": {
"LastUser": "USER:admin",
"Value": "10"
},
"Name": {
"LastUser": "USER:admin",
"Value": "Test"
}
}
},
"Endpoint": {
"OS": "80345",
"IPAddress": [
"10.0.0.1",
"10.0.0.2"
]
}
}
Human Readable Output
8. Get an asset by the asset ID
Retrieves the asset by ID.
Base Command
qradar-get-asset-by-id
Input
| Argument Name | Description | Required |
|---|---|---|
| asset_id | The ID of the requested asset. | Required |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Assets.ID | number | The ID of the asset. |
| Endpoint.MACAddress | unknown | Asset MAC address. |
| Endpoint.IPAddress | unknown | It's in ip_addresses - value |
| QRadar.Assets.ComplianceNotes.Value | string | Compliance notes |
| QRadar.Assets.CompliancePlan.Value | string | Compliance plan |
| QRadar.Assets.CollateralDamagePotential.Value | unknown | Collateral damage potential |
| QRadar.Assets.AggregatedCVSSScore.Value | number | CVSSScore |
| QRadar.Assets.Name.Value | string | Name of the asset |
| QRadar.Assets.GroupName | string | Name of the asset's group |
| Endpoint.Domain | unknown | DNS name |
| Endpoint.OS | unknown | Asset OS |
| QRadar.Assets.Weight.Value | number | Asset weight |
| QRadar.Assets.Vulnerabilities.Value | unknown | Vulnerabilities |
| QRadar.Assets.Location | string | Location. |
| QRadar.Assets.Description | string | The asset description. |
| QRadar.Assets.SwitchID | number | Switch ID |
| QRadar.Assets.SwitchPort | number | Switch port. |
| QRadar.Assets.Name.LastUser | string | Last user who updated the name |
| QRadar.Assets.AggregatedCVSSScore.LastUser | string | Last user who updated the Aggregated CVSS Score |
| QRadar.Assets.Weight.LastUser | string | Last user who updated the weight |
| QRadar.Assets.ComplianceNotes.LastUser | string | Last user who updated the compliance notes |
| QRadar.Assets.CompliancePlan.LastUser | string | Last user who updated the compliance plan |
| QRadar.Assets.CollateralDamagePotential.LastUser | string | Last user who updated the collateral damage potential |
| QRadar.Assets.Vulnerabilities.LastUser | string | Last user who updated the vulnerabilities |
Command Example
!qradar-get-asset-by-id asset_id=1001
Context Example
{
"QRadar": {
"Asset": {
"Name": {
"LastUser": "USER:admin",
"Value": "Test"
},
"Weight": {
"LastUser": "USER:admin",
"Value": "10"
},
"SwitchPort": {
"LastUser": "USER:admin",
"Value": "1"
},
"SwitchID": {
"LastUser": "USER:admin",
"Value": "1"
},
"AggregatedCVSSScore": {
"LastUser": "USER:admin",
"Value": "h"
},
"Location": {
"LastUser": "USER:admin",
"Value": "Israel"
},
"CompliancePlan": {
"LastUser": "USER:admin",
"Value": "Correction Plan"
},
"ID": 1001,
"ComplianceNotes": {
"LastUser": "USER:admin",
"Value": "some notes"
}
}
},
"Endpoint": [
{
"OS": "80345",
"IPAddress": [
"10.0.0.1",
"10.0.0.2"
]
},
{
"MACAddress": [
"Unknown NIC"
],
"OS": "80345",
"IPAddress": [
"10.0.0.1",
"10.0.0.2"
]
}
]
Human Readable Output
9. Get the reason an offense was closed
Get closing reasons.
Base Command
qradar-get-closing-reasons
Input
| Argument Name | Description | Required |
|---|---|---|
| include_reserved | If true, reserved closing reasons are included in the response | Optional |
| include_deleted | If true, deleted closing reasons are included in the response | Optional |
| filter |
Query to filter results.
For more information, see the QRadar documentation . |
Optional |
| fields |
If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names.
For more information, see the QRadar documentation . |
Optional |
| range | Range of results to return. e.g.: 0-20 | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Offense.ClosingReasons.ID | number | Closing reason ID |
| QRadar.Offense.ClosingReasons.Name | string | Closing reason name |
Command Example
!qradar-get-closing-reasons include_reserved=false
Context Example
{
"QRadar": {
"Offense": {
"ClosingReasons": [
{
"IsReserved": false,
"ID": 2,
"IsDeleted": false,
"Name": "False-Positive, Tuned"
},
{
"IsReserved": false,
"ID": 1,
"IsDeleted": false,
"Name": "Non-Issue"
},
{
"IsReserved": false,
"ID": 3,
"IsDeleted": false,
"Name": "Policy Violation"
},
{
"IsReserved": false,
"ID": 54,
"IsDeleted": false,
"Name": "Duplicate"
}
]
}
}
}
Human Readable Output
10. Create a note for an offense
Creates a note on an offense.
Base Command
qradar-create-note
Input
| Argument Name | Description | Required |
|---|---|---|
| offense_id | The offense ID to add the note to | Required |
| note_text | The note text | Required |
| fields |
If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names.
For more information, see the QRadar documentation . |
Optional |
| headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Note.ID | number | Note ID |
| QRadar.Note.Text | string | Note text |
| QRadar.Note.CreateTime | date | The creation time of the note |
| QRadar.Note.CreatedBy | string | The user who created the note |
Command Example
!qradar-create-note offense_id=78 note_text="Demisto has the best documentation!"
Context Example
{
"QRadar": {
"Note": {
"Text": "Demisto has the best documentation!",
"CreateTime": "2018-10-29T13:26:57.579000Z",
"CreatedBy": "API_user: admin",
"ID": 190
}
}
}
Human Readable Output
11. Get a note for an offense
Retrieve a note for an offense.
Base Command
qradar-get-note
Input
| Argument Name | Description | Required |
|---|---|---|
| offense_id | The offense ID to retrieve the note from | Required |
| note_id | The note ID | Optional |
| fields |
If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names.
For more information, see the QRadar documentation . |
Optional |
| headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Note.ID | number | Note ID |
| QRadar.Note.Text | string | Note text |
| QRadar.Note.CreateTime | date | The creation time of the note |
| QRadar.Note.CreatedBy | string | The user who created the note |
Command Example
!qradar-get-note offense_id=78 note_id=190 fields=id,create_time
Context Example
{
"QRadar": {
"Note": {
"Text": "Demisto has the best documentation!",
"CreateTime": "2018-10-29T13:26:57.579000Z",
"CreatedBy": "API_user: admin",
"ID": 190
}
}
}
Human Readable Output
12. Get a reference by the reference name
Information about the reference set that had data added or updated. This returns information set but not the contained data. This feature is supported from version 8.1 and later.
Base Command
qradar-get-reference-by-name
Input
| Argument Name | Description | Required |
|---|---|---|
| ref_name | The name of the requested reference. | Required |
| headers | Table headers to use the human readable output (if not specified, will show all table headers) | Optional |
| date_value | If true, will try to convert the data values to an ISO-8601 string | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Reference.Name | string | The name of the reference set |
| QRadar.Reference.CreationTime | date | The creation time (ISO) of the reference |
| QRadar.Reference.ElementType | string | Reference element type |
| QRadar.Reference.NumberOfElements | number | Number of elements |
| QRadar.Reference.TimeToLive | string | Reference time to live |
| QRadar.Reference.TimeoutType | string | Reference timeout type (UNKNOWN, FIRST_SEEN, LAST_SEEN) |
| QRadar.Reference.Data | unknown | Reference set items |
Command Example
!qradar-get-reference-by-name ref_name=Date date_value=True
Context Example
{
"QRadar": {
"Reference": {
"Name": "Date",
"CreationTime": "2018-11-27T11:34:23.110000Z",
"TimeoutType": "UNKNOWN",
"ElementType": "DATE",
"Data": [
{
"Source": "reference data api",
"Value": "2018-11-27T11:34:23.000000Z",
"LastSeen": "2018-11-27T11:34:59.552000Z",
"FirstSeen": "2018-11-27T11:34:59.552000Z"
}
],
"NumberOfElements": 1
}
}
}
Human Readable Output
13. Create a reference set
Creates a new reference set. If the specified name is already in use, the command will fail.
Base Command
qradar-create-reference-set
Input
| Argument Name | Description | Required |
|---|---|---|
| ref_name | Reference name to be created | Required |
| element_type |
The element type for the values allowed in the reference set. The allowed values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE.
Note that date values need to be represented in milliseconds since the Unix Epoch January 1st 1970. |
Required |
| timeout_type | The allowed values are "FIRST_SEEN", LAST_SEEN and UNKNOWN. The default value is UNKNOWN. | Optional |
| time_to_live | The time to live interval, for example: "1 month" or "5 minutes" | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Reference.CreationTime | date | Creation time of the reference set |
| QRadar.Reference.ElementType | string | The element type for the values allowed in the reference set. The allowed values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE. |
| QRadar.Reference.Name | string | Name of the reference set |
| QRadar.Reference.NumberOfElements | number | Number of elements in the created reference set. |
| QRadar.Reference.TimeoutType | string | Timeout type of the reference (FIRST_SEEN, LAST_SEEN and UNKNOWN) |
Command Example
!qradar-create-reference-set element_type=DATE ref_name=Date
Context Example
{
"QRadar": {
"Reference": {
"TimeoutType": "UNKNOWN",
"ElementType": "DATE",
"CreationTime": "2018-11-27T11:34:23.000000Z",
"Name": "Date",
"NumberOfElements": 1
}
}
}
Human Readable Output
14. Delete a reference
Deletes a reference set corresponding to the name provided.
Base Command
qradar-delete-reference-set
Input
| Argument Name | Description | Required |
|---|---|---|
| ref_name | The name of reference set to delete | Required |
Context Output
There is no context output for this command.
Command Example
!qradar-delete-reference-set ref_name=Date
Human Readable Output
15. Create a value in a reference set
Creates a value in a reference set.
Base Command
qradar-create-reference-set-value
Input
| Argument Name | Description | Required |
|---|---|---|
| ref_name | The name of the reference set to add or update a value in | Required |
| value |
The value to add or update in the reference set.
Date values must be represented in milliseconds since the Unix Epoch January 1 1970. |
Required |
| source |
An indication of where the data originated.
The default value is 'reference data api'. |
Optional |
| date_value |
If true, will convert the
value
argument from the date format
%Y-%m-%dT%H:%M:%S.%f000Z' (e.g., 2018-11-06T08:56:41.000000Z) to epoch. |
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Reference.Name | string | The name of the reference set |
| QRadar.Reference.CreationTime | date | The creation time (ISO) of the reference |
| QRadar.Reference.ElementType | string | Reference element type |
| QRadar.Reference.NumberOfElements | number | Number of elements |
| QRadar.Reference.TimeoutType | string | Reference timeout type (UNKNOWN, FIRST_SEEN, LAST_SEEN) |
Command Example
These command examples will create the same result in the reference set 'Date'.
The first example provides a value in time string format instead of an epoch value.
Reference set of element type 'DATE' has to be populated with epoch values, however, when the argument
date_value
is set to
True
, the integration translates the input to epoch value. So even though the input was provided as a time string, the actual value in the reference set will be populated with the equivalent epoch value.
!qradar-create-reference-set-value ref_name=Date value=2018-11-27T11:34:23.110000Z date_value=True
!qradar-create-reference-set-value ref_name=Date value=1543318463000
Context Example
{
"QRadar": {
"Reference": {
"TimeoutType": "UNKNOWN",
"ElementType": "DATE",
"CreationTime": "2018-11-27T11:34:23.110000Z",
"Name": "Date",
"NumberOfElements": 1
}
}
}
Human Readable Output
16. Add or update a value in a reference set
Adds or updates a value in a reference set.
Base Command
qradar-update-reference-set-value
Input
| Argument Name | Description | Required |
|---|---|---|
| ref_name | The name of the reference set to add or update a value in. | Required |
| value | The value to add or update in the reference set. Date values must be represented in milliseconds since the Unix Epoch January 1st 1970. | Required |
| source | An indication of where the data originated. The default value is 'reference data api'. | Optional |
| date_value |
If true, will convert the
value
argument from the date format
%Y-%m-%dT%H:%M:%S.%f000Z' (e.g., 2018-11-06T08:56:41.000000Z) to epoch. |
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Reference.Name | string | The name of the reference set |
| QRadar.Reference.CreationTime | date | The creation time (ISO) of the reference |
| QRadar.Reference.ElementType | string | Reference element type |
| QRadar.Reference.NumberOfElements | number | Number of elements |
| QRadar.Reference.TimeoutType | string | Reference timeout type (UNKNOWN, FIRST_SEEN, LAST_SEEN) |
Command Example
!qradar-update-reference-set-value ref_name="Documentation Reference" value="Important information" source="Documentation1"
Context Example
{
"QRadar": {
"Reference": {
"TimeoutType": "UNKNOWN",
"ElementType": "ALN",
"CreationTime": "2018-11-21T11:42:25.492000Z",
"Name": "Documentation Reference",
"NumberOfElements": 1
}
}
}
Human Readable Output
17. Delete a value from a reference set
Deletes a value from a reference set.
Base Command
qradar-delete-reference-set-value
Input
| Argument Name | Description | Required |
|---|---|---|
| ref_name | The name of the reference set to remove a value from | Required |
| value | The value to remove from the reference set | Required |
| date_value |
If true, will convert the
value
argument from the date format
%Y-%m-%dT%H:%M:%S.%f000Z' (e.g., 2018-11-06T08:56:41.000000Z) to epoch. |
Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| QRadar.Reference.Name | string | The name of the reference set |
| QRadar.Reference.CreationTime | date | The creation time (ISO) of the reference |
| QRadar.Reference.ElementType | string | Reference element type |
| QRadar.Reference.NumberOfElements | number | Number of elements |
| QRadar.Reference.TimeoutType | string | Reference timeout type (UNKNOWN, FIRST_SEEN, LAST_SEEN) |
Command Example
These command examples will create the same result in the reference set 'Date'.
The first example provides a value in time string format instead of an epoch value.
Reference set of element type 'DATE' has to be populated with epoch values, however, when the argument
date_value
is set to
True
, the integration translates the input to epoch value. So even though the input was provided as a time string, the actual value in the reference set will be populated with the equivalent epoch value.
!qradar-delete-reference-set-value ref_name=Date value=2018-11-27T11:34:23.000000Z date_value=True
!qradar-delete-reference-set-value ref_name=Date value=1543318463000
Context Example
{
"QRadar": {
"Reference": {
"TimeoutType": "UNKNOWN",
"ElementType": "DATE",
"CreationTime": "2018-11-27T11:34:23.110000Z",
"Name": "Date",
"NumberOfElements": 0
}
}
}
Human Readable Output
