IBM QRadar v2 (Deprecated)
IBM QRadar Pack.#
This Integration is part of theDeprecated
Use the IBM QRadar v3 integration instead.
Fetch offenses as incidents and search QRadar. Supports API versions until 10.0. This integration was integrated and tested with version 7.3.2 of QRadar.
#
Configure QRadar v2 in CortexParameter | Description | Required |
---|---|---|
server | Server URL (e.g. https://8.8.8.8 ) | True |
credentials | Username / API Key (see '?') | False |
query | Query to fetch offenses | False |
offenses_per_fetch | Number of offenses to pull per API call (max 50) | False |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
Long running instance | Fetches incidents | False |
incidentType | Incident type | False |
full_enrich | Full Incident Enrichment | False |
longRunning | Long running instance | False |
events_columns | Event columns to return from the events query | False |
fetch_mode | Fetch mode | True |
events_limit | Max number of events per incident | False |
adv_params | Advanced Parameters | False |
#
TroubleshootingThis section provides information for troubleshooting performance and fetching issues.
#
Performance IssuesIn some cases, you might encounter performance issues when running QRadar AQL queries from Cortex XSOAR. This issue is caused by QRadar API limitations. We recommend that you test the QRadar API performance by running several cURL scripts.
#
1. Creating a searchRun the following command to use the QRadar API to create a new search.Save the QUERY ID that is attached to the response for the next step.
#
2. Check if the search status is Complete or ExecutingUse the following command to use the QRadar API to check the query status (EXECUTE, COMPLETED, or ERROR).
#
Fetching IssuesIf the integration fails to fetch with on a Docker timeout error and the enrichment is enabled within the integration configuration, the cause might be releated to a permissions issue with the enrichment.
Adding the following advanced parameter might resolve this issue: DOMAIN_ENRCH_FLG=False
#
Using API Token authenticationIn order to use the integration with an API token you'll first need to change the Username / API Key (see '?')
field to _api_token_key
. Following this step, you can now enter the API Token into the Password
field - this value will be used as an API key.
#
Fetch incidentsTo start fetching incidents, enable the parameter Long running instance
- this will start a long running process that'll fetch incidents periodically.
Depending on the system load, the initial fetch might take a long time.
#
Field (Schema) MappingThe scheme is divided to 4 sections. Offense (root), Events: Builtins, Events: Custom Fields, and Assets. For more details, see the Classification & Mapping documentation.
#
Query to fetch offensesYou can apply additional (optional) filters for the fetch-incident query using the Query to fetch offenses
integration parameter. For more information on how to use the filter syntax, see the QRadar filter documentation and QRadar offense documentation.
- Incident IP Enrichment - When enabled, fetched incidents IP values (local source addresses and local destination addresses) will be fetched from QRadar instead of their ID values.
- Incident Asset Enrichment - When enabled, fetched offenses will also contain correlated assets.
#
Reset the "last run" timestampTo reset fetch incidents, run qradar-reset-last-run
- this will reset the fetch to its initial state (will try to fetch first available offense).
Please Note: It is recommended to disable and then enable the QRadar instance for the reset to take effect immediately.
#
Required Permissions- Assets - Vulnerability Management or Assets
- Domains - Admin
- Offenses (Manage Closing Reason) - Manage Offense Closing Reasons
- Offenses (Assign Offenses to Users) - Assign Offenses to Users
- Offenses (Read) - Offenses
- References (Create/Update) - admin
- References (Read) - View Reference Data
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
qradar-offensesGets offenses from QRadar
#
Base Commandqradar-offenses
#
InputArgument Name | Description | Required |
---|---|---|
filter | Query to filter offenses. For reference please consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.html | Optional |
fields | If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-GET.html | Optional |
range | Range of results to return. e.g.: 0-20 | Optional |
headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Offense.Followup | boolean | Offense followup. |
QRadar.Offense.ID | number | The ID of the offense. |
QRadar.Offense.Description | string | The description of the offense. |
QRadar.Offense.SourceAddress | Unknown | The source addresses that are associated with the offense. |
QRadar.Offense.DestinationAddress | Unknown | The local destination addresses that are associated with the offense. If your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip |
QRadar.Offense.RemoteDestinationCount | Unknown | The remote destination that are associated with the offesne. If this value is greater than 0 that means your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip |
QRadar.Offense.StartTime | date | The time (ISO) when the offense was started. |
QRadar.Offense.EventCount | number | The number of events that are associated with the offense. |
QRadar.Offense.Magnitude | number | The magnitude of the offense. |
QRadar.Offense.LastUpdatedTime | date | The time (ISO) when the offense was last updated. |
QRadar.Offense.OffenseType | string | The offense type (due to API limitations if username and password were not provided, this value will be the id of offense type) |
#
Command Example!qradar-offenses range=0-1 filter="follow_up=false"
#
Context Example#
Human Readable Output#
QRadar offenses
ID Description Followup SourceAddress DestinationAddress RemoteDestinationCount StartTime EventCount Magnitude LastUpdatedTime OffenseType 477 Outbound port scan false 8.8.8.8 8.8.8.8
8.8.8.8
8.8.8.84 2020-08-04T08:34:21.690000Z 22 2 2020-08-04T08:37:49.416000Z Source IP 476 Multiple Login Failures for the Same User
preceded by DJM
preceded by Port Scan detected
containing Failure Audit: An account failed to log onfalse ::1,
8.8.8.88.8.8.8 0 2020-08-04T08:36:57.209000Z 15 1 2020-08-04T08:37:57.209000Z Username
#
qradar-offense-by-idGets offense with matching offense ID from qradar
#
Base Commandqradar-offense-by-id
#
InputArgument Name | Description | Required |
---|---|---|
offense_id | Offense ID | Required |
filter | Query to filter offense. For refernce please consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.html | Optional |
fields | If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-GET.html | Optional |
headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Offense.Credibility | number | The credibility of the offense |
QRadar.Offense.Relevance | number | The relevance of the offense |
QRadar.Offense.Severity | number | The severity of the offense |
QRadar.Offense.SourceAddress | Unknown | The source addresses that are associated with the offense. |
QRadar.Offense.DestinationAddress | Unknown | The local destination addresses that are associated with the offense. If your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip |
QRadar.Offense.RemoteDestinationCount | Unknown | The remote destination that are associated with the offesne. If this value is greater than 0 that means your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip |
QRadar.Offense.AssignedTo | string | The user the offense is assigned to. |
QRadar.Offense.StartTime | date | The time (ISO) when the offense was started. |
QRadar.Offense.ID | int | The ID of the offense. |
QRadar.Offense.DestinationHostname | Unknown | Destintion hostname |
QRadar.Offense.Description | string | The description of the offense. |
QRadar.Offense.EventCount | number | The number of events that are associated with the offense. |
QRadar.Offense.OffenseSource | string | The source of the offense. |
QRadar.Offense.Status | string | The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED". |
QRadar.Offense.Magnitude | number | The magnitude of the offense. |
QRadar.Offense.ClosingUser | string | The user that closed the offense |
QRadar.Offense.ClosingReason | string | The offense closing reason. |
QRadar.Offense.CloseTime | date | The time when the offense was closed. |
QRadar.Offense.LastUpdatedTime | date | The time (ISO) when the offense was last updated. |
QRadar.Offense.Categories | Unknown | Event categories that are associated with the offense. |
QRadar.Offense.FlowCount | number | The number of flows that are associated with the offense. |
QRadar.Offense.FollowUp | boolean | Offense followup. |
QRadar.Offense.OffenseType | string | A number that represents the offense type |
QRadar.Offense.Protected | boolean | Is the offense protected |
#
Command Example!qradar-offense-by-id offense_id=450
#
Context Example#
Human Readable Output#
QRadar Offenses
Categories Credibility Description DestinationAddress DestinationHostname EventCount FlowCount Followup ID LastUpdatedTime Magnitude OffenseSource OffenseType Protected Relevance RemoteDestinationCount Severity SourceAddress StartTime Status Firewall Session Closed,
Host Port Scan3 Outbound port scan 8.8.8.8 Net-10-172-192.Net_10_0_0_0 5 0 false 450 2020-07-22T14:45:39.082000Z 2 8.8.8.8 Source IP false 0 0 5 8.8.8.8 2020-07-22T14:40:43.870000Z OPEN
#
qradar-searchesSearches in QRadar using AQL. It is highly recommended to use the playbook 'QRadarFullSearch' instead of this command - it will execute the search, and will return the result.
#
Base Commandqradar-searches
#
InputArgument Name | Description | Required |
---|---|---|
query_expression | The query expressions in AQL (for more information about Ariel Query Language please review: https://www.ibm.com/docs/en/qsip/7.3.2?topic=qradar-ariel-query-language-aql ) | Required |
headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Search.ID | number | Search ID |
QRadar.Search.Status | string | The status of the search. |
#
Command Example!qradar-searches query_expression="SELECT sourceip AS 'MY Source IPs' FROM events"
#
Context Example#
Human Readable Output#
QRadar Search
ID Status ddd8ef78-4bff-4453-ab10-24f0fe1fa763 WAIT
#
qradar-get-searchGets a specific search id and status
#
Base Commandqradar-get-search
#
InputArgument Name | Description | Required |
---|---|---|
search_id | The search id | Required |
headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Search.ID | number | Search ID |
QRadar.Search.Status | string | The status of the search. |
#
Command Example!qradar-get-search search_id=6212b614-074e-41c1-8fcf-1492834576b8
#
Context Example#
Human Readable Output#
QRadar Search Info
ID Status 6212b614-074e-41c1-8fcf-1492834576b8 COMPLETED
#
qradar-get-search-resultsGets search results
#
Base Commandqradar-get-search-results
#
InputArgument Name | Description | Required |
---|---|---|
search_id | The search id | Required |
range | Range of results to return. e.g.: 0-20 | Optional |
headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
output_path | Replaces the default context output path for the query result (QRadar.Search.Result). e.g. for output_path=QRadar.Correlations the result will be under the key "QRadar.Correlations" in the context data. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Search.Result | Unknown | The result of the search |
#
Command Example!qradar-get-search-results search_id=6212b614-074e-41c1-8fcf-1492834576b8
#
Context Example#
Human Readable Output#
QRadar Search Results from events
MY Source IPs 8.8.8.8
#
qradar-update-offenseUpdate an offense
#
Base Commandqradar-update-offense
#
InputArgument Name | Description | Required |
---|---|---|
offense_id | The ID of the offense to update | Required |
protected | Set to true to protect the offense | Optional |
follow_up | Set to true to set the follow up flag on the offense | Optional |
status | The new status for the offense | Optional |
closing_reason_id | The id of a closing reason. You must provide a valid closing_reason_name when you close an offense. The default closing_reasons are: (1) False-Positive, Tuned (2) Non-Issues (3) Policy Violation | Optional |
closing_reason_name | The name of a closing reason. You must provide a valid closing_reason_name when you close an offense. The default closing_reasons are: (1) False-Positive, Tuned (2) Non-Issues (3) Policy Violation | Optional |
assigned_to | A user to assign the offense to | Optional |
fields | Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. Please consult - https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-POST.html | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Offense.Credibility | number | The credibility of the offense |
QRadar.Offense.Relevance | number | The relevance of the offense |
QRadar.Offense.Severity | number | The severity of the offense |
QRadar.Offense.SourceAddress | Unknown | The source addresses that are associated with the offense. |
QRadar.Offense.DestinationAddress | Unknown | The destination addresses that are associated with the offense. |
QRadar.Offense.AssignedTo | string | The user the offense is assigned to. |
QRadar.Offense.StartTime | date | The time (ISO) when the offense was started. |
QRadar.Offense.ID | int | The ID of the offense. |
QRadar.Offense.DestinationHostname | Unknown | Destintion hostname |
QRadar.Offense.Description | string | The description of the offense. |
QRadar.Offense.EventCount | number | The number of events that are associated with the offense. |
QRadar.Offense.OffenseSource | string | The source of the offense. |
QRadar.Offense.Status | string | The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED". |
QRadar.Offense.Magnitude | number | The magnitude of the offense. |
QRadar.Offense.ClosingUser | string | The user that closed the offense |
QRadar.Offense.ClosingReason | string | The offense closing reason. |
QRadar.Offense.CloseTime | date | The time when the offense was closed. |
QRadar.Offense.LastUpdatedTime | date | The time (ISO) when the offense was last updated. |
QRadar.Offense.Categories | Unknown | Event categories that are associated with the offense. |
QRadar.Offense.FlowCount | number | The number of flows that are associated with the offense. |
QRadar.Offense.FollowUp | boolean | Offense followup. |
QRadar.Offense.OffenseType | string | A number that represents the offense type |
QRadar.Offense.Protected | boolean | Is the offense protected |
#
Command Example!qradar-update-offense offense_id=450 protected=false
#
Context Example#
Human Readable Output#
QRadar Offense
Categories Credibility Description DestinationAddress DestinationHostname EventCount FlowCount Followup ID LastUpdatedTime Magnitude OffenseSource OffenseType Protected Relevance RemoteDestinationCount Severity SourceAddress StartTime Status Firewall Session Closed,
Host Port Scan3 Outbound port scan 8.8.8.8 Net-10-172-192.Net_10_0_0_0 5 0 false 450 2020-07-22T14:45:39.082000Z 2 8.8.8.8 Source IP false 0 0 5 8.8.8.8 2020-07-22T14:40:43.870000Z OPEN
#
qradar-get-assetsList all assets found in the model
#
Base Commandqradar-get-assets
#
InputArgument Name | Description | Required |
---|---|---|
filter | Query to filter assets. For refernce please consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.html | Optional |
fields | If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--asset_model-assets-GET.html | Optional |
range | Range of results to return. e.g.: 0-20 | Optional |
headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Assets.ID | number | The ID of the asset |
Endpoint.IPAddress | Unknown | IP address of the asset |
QRadar.Assets.Name.Value | string | Name of the asset |
Endpoint.OS | number | Asset OS |
QRadar.Assets.AggregatedCVSSScore.Value | number | CVSSScore |
QRadar.Assets.AggregatedCVSSScore.LastUser | string | Last user who updated the Aggregated CVSS Score |
QRadar.Assets.Weight.Value | number | Asset weight |
QRadar.Assets.Weight.LastUser | string | Last user who updated the weight |
QRadar.Assets.Name.LastUser | string | Last user who updated the name |
#
Command Example!qradar-get-assets range=0-1
#
Context Example#
Human Readable Output#
QRadar Assets#
Asset(ID:1914)
LastUser Property Name Value IDENTITY:0 Name ec2.us.compute-1.amazonaws.com #
Asset(ID:1928)
LastUser Property Name Value IDENTITY:0 Name ec2.us.compute-1.amazonaws.com #
Endpoint
IPAddress 8.8.8.8
8.8.8.8
#
qradar-get-asset-by-idRetrieves the asset by id
#
Base Commandqradar-get-asset-by-id
#
InputArgument Name | Description | Required |
---|---|---|
asset_id | The ID of the requested asset. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Assets.ID | number | The ID of the asset. |
Endpoint.MACAddress | Unknown | Asset MAC address. |
Endpoint.IPAddress | Unknown | It's in ip_addresses - value |
QRadar.Assets.ComplianceNotes.Value | string | Compliance notes |
QRadar.Assets.CompliancePlan.Value | string | Compliance plan |
QRadar.Assets.CollateralDamagePotential.Value | Unknown | Collateral damage potential |
QRadar.Assets.AggregatedCVSSScore.Value | number | CVSSScore |
QRadar.Assets.Name.Value | string | Name of the asset |
QRadar.Assets.GroupName | string | Name of the asset's group |
Endpoint.Domain | Unknown | DNS name |
Endpoint.OS | Unknown | Asset OS |
QRadar.Assets.Weight.Value | number | Asset weight |
QRadar.Assets.Vulnerabilities.Value | Unknown | Vulnerabilities |
QRadar.Assets.Location | string | Location. |
QRadar.Assets.Description | string | The asset description. |
QRadar.Assets.SwitchID | number | Switch ID |
QRadar.Assets.SwitchPort | number | Switch port. |
QRadar.Assets.Name.LastUser | string | Last user who updated the name |
QRadar.Assets.AggregatedCVSSScore.LastUser | string | Last user who updated the Aggregated CVSS Score |
QRadar.Assets.Weight.LastUser | string | Last user who updated the weight |
QRadar.Assets.ComplianceNotes.LastUser | string | Last user who updated the compliance notes |
QRadar.Assets.CompliancePlan.LastUser | string | Last user who updated the compliance plan |
QRadar.Assets.CollateralDamagePotential.LastUser | string | Last user who updated the collateral damage potential |
QRadar.Assets.Vulnerabilities.LastUser | string | Last user who updated the vulnerabilities |
#
Command Example!qradar-get-asset-by-id asset_id=1928
#
Context Example#
Human Readable Output#
QRadar Asset#
Asset(ID:1928)
LastUser Property Name Value IDENTITY:0 Name ec2.us.compute-1.amazonaws.com #
Endpoint
IPAddress MACAddress 8.8.8.8 Unknown NIC
#
qradar-get-closing-reasonsGet closing reasons
#
Base Commandqradar-get-closing-reasons
#
InputArgument Name | Description | Required |
---|---|---|
include_reserved | If true, reserved closing reasons are included in the response | Optional |
include_deleted | If true, deleted closing reasons are included in the response | Optional |
filter | Query to filter results. For refernce please consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.html | Optional |
fields | If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offense_closing_reasons-GET.html | Optional |
range | Range of results to return. e.g.: 0-20 | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Offense.ClosingReasons.ID | number | Closing reason ID |
QRadar.Offense.ClosingReasons.Name | string | Closing reason name |
#
Command Example!qradar-get-closing-reasons include_reserved=false
#
Context Example#
Human Readable Output#
Offense Closing Reasons
ID Name IsReserved IsDeleted 2 False-Positive, Tuned false false 1 Non-Issue false false 3 Policy Violation false false
#
qradar-create-noteCreate a note on an offense
#
Base Commandqradar-create-note
#
InputArgument Name | Description | Required |
---|---|---|
offense_id | The offense ID to add the note to | Required |
note_text | The note text | Required |
fields | If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-POST.html | Optional |
headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Note.ID | number | Note ID |
QRadar.Note.Text | string | Note text |
QRadar.Note.CreateTime | date | The creation time of the note |
QRadar.Note.CreatedBy | string | The user who created the note |
#
Command Example!qradar-create-note offense_id=450 note_text="XSOAR has the best documentation!"
#
Context Example#
Human Readable Output#
QRadar Note
CreateTime CreatedBy ID Text 2020-09-02T08:12:47.314000Z API_user: admin 1238 XSOAR has the best documentation!
#
qradar-get-noteRetrieve a note for an offense
#
Base Commandqradar-get-note
#
InputArgument Name | Description | Required |
---|---|---|
offense_id | The offense ID to retrieve the note from | Required |
note_id | The note ID | Optional |
fields | If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-note_id-GET.html | Optional |
headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Note.ID | number | Note ID |
QRadar.Note.Text | string | Note text |
QRadar.Note.CreateTime | date | The creation time of the note |
QRadar.Note.CreatedBy | string | The user who created the note |
#
Command Example!qradar-get-note offense_id=450 note_id=1232
#
Context Example#
Human Readable Output#
QRadar note for offense: 450
CreateTime CreatedBy ID Text 2020-09-02T06:39:24.601000Z API_user: admin 1232 XSOAR has the best documentation!
#
qradar-get-reference-by-nameInformation about the reference set that had data added or updated. This returns information set but not the contained data. This feature is supported from version 8.1 and upward.
#
Base Commandqradar-get-reference-by-name
#
InputArgument Name | Description | Required |
---|---|---|
ref_name | The name of the requestered reference. | Required |
headers | Table headers to use the human readable output (if none provided, will show all table headers) | Optional |
date_value | If set to true will try to convert the data values to ISO-8601 string. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Reference.Name | string | The name of the reference set. |
QRadar.Reference.CreationTime | date | The creation time (ISO) of the reference. |
QRadar.Reference.ElementType | string | Reference element type. |
QRadar.Reference.NumberOfElements | number | Number of elements. |
QRadar.Reference.TimeToLive | string | Reference time to live. |
QRadar.Reference.TimeoutType | string | Reference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN |
QRadar.Reference.Data | Unknown | Reference set items |
#
Command Example!qradar-get-reference-by-name ref_name=Date date_value=True
#
Context Example#
Human Readable Output#
QRadar References
CreationTime ElementType Name NumberOfElements TimeoutType 2020-09-02T08:12:49.020000Z DATE Date 0 UNKNOWN
#
qradar-create-reference-setCreates a new reference set. If the provided name is already in use, this command will fail
#
Base Commandqradar-create-reference-set
#
InputArgument Name | Description | Required |
---|---|---|
ref_name | Reference name to be created | Required |
element_type | The element type for the values allowed in the reference set. The allowed values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE. Note that date values need to be represented in milliseconds since the Unix Epoch January 1st 1970. | Required |
timeout_type | The allowed values are "FIRST_SEEN", LAST_SEEN and UNKNOWN. The default value is UNKNOWN. | Optional |
time_to_live | The time to live interval, for example: "1 month" or "5 minutes" | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Reference.CreationTime | date | Creation time of the reference set. |
QRadar.Reference.ElementType | string | The element type for the values allowed in the reference set. The allowed values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE. |
QRadar.Reference.Name | string | Name of the reference set. |
QRadar.Reference.NumberOfElements | number | Number of elements in the created reference set. |
QRadar.Reference.TimeoutType | string | Timeout type of the reference. The allowed values are FIRST_SEEN, LAST_SEEN and UNKNOWN. |
#
Command Example!qradar-create-reference-set ref_name=Date element_type=DATE
#
Context Example#
Human Readable Output#
QRadar References
CreationTime ElementType Name NumberOfElements TimeoutType 2020-09-02T08:12:49.020000Z DATE Date 0 UNKNOWN
#
qradar-delete-reference-setDeletes a reference set corresponding to the name provided.
#
Base Commandqradar-delete-reference-set
#
InputArgument Name | Description | Required |
---|---|---|
ref_name | The name of reference set to delete. | Required |
#
Context OutputThere is no context output for this command.
#
Command Example!qradar-delete-reference-set ref_name=Date
#
Context Example#
Human Readable OutputReference Data Deletion Task for 'Date' was initiated. Reference set 'Date' should be deleted shortly.
#
qradar-create-reference-set-valueAdd or update a value in a reference set.
#
Base Commandqradar-create-reference-set-value
#
InputArgument Name | Description | Required |
---|---|---|
ref_name | The name of the reference set to add or update a value in. | Required |
value | The value/s to add or update in the reference set. Note: Date values must be represented in epoch in reference sets (milliseconds since the Unix Epoch January 1st 1970). If 'date_value' is set to 'True', then the argument will be converted from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch. | Required |
source | An indication of where the data originated. The default value is 'reference data api'. | Optional |
date_value | If set to True will convert 'value' argument from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Reference.Name | string | The name of the reference set. |
QRadar.Reference.CreationTime | date | The creation time (ISO) of the reference. |
QRadar.Reference.ElementType | string | Reference element type. |
QRadar.Reference.NumberOfElements | number | Number of elements. |
QRadar.Reference.TimeoutType | string | Reference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN |
#
Command Example!qradar-create-reference-set-value ref_name=Date value=2018-11-27T11:34:23.110000Z date_value=True
#
Context Example#
Human Readable Output#
Element value was updated successfully in reference set:
CreationTime ElementType Name NumberOfElements TimeoutType 2020-09-02T08:12:49.020000Z DATE Date 1 UNKNOWN
#
qradar-update-reference-set-valueAdds or updates a value in a reference set.
#
Base Commandqradar-update-reference-set-value
#
InputArgument Name | Description | Required |
---|---|---|
ref_name | The name of the reference set to add or update a value in. | Required |
value | A comma-separated list of values to add or update in the reference set. Date values must be represented in milliseconds since the Unix Epoch January 1st 1970. | Required |
source | An indication of where the data originated. The default value is 'reference data api'. | Optional |
date_value | If set to True will convert 'value' argument from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Reference.Name | string | The name of the reference set. |
QRadar.Reference.CreationTime | date | The creation time (ISO) of the reference. |
QRadar.Reference.ElementType | string | Reference element type. |
QRadar.Reference.NumberOfElements | number | Number of elements. |
QRadar.Reference.TimeoutType | string | Reference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN |
#
Command Example!qradar-update-reference-set-value ref_name="Documentation Reference" value="Important information" source="Documentation"
#
Context Example#
Human Readable Output#
Element value was updated successfully in reference set:
CreationTime ElementType Name NumberOfElements TimeoutType 2020-09-02T06:45:52.294000Z ALNIC Documentation Reference 1 UNKNOWN
#
qradar-delete-reference-set-valueDeletes a value in a reference set.
#
Base Commandqradar-delete-reference-set-value
#
InputArgument Name | Description | Required |
---|---|---|
ref_name | The name of the reference set to remove a value from. | Required |
value | The value to remove from the reference set. | Required |
date_value | If set to True will convert 'value' argument from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Reference.Name | string | The name of the reference set. |
QRadar.Reference.CreationTime | date | The creation time (ISO) of the reference. |
QRadar.Reference.ElementType | string | Reference element type. |
QRadar.Reference.NumberOfElements | number | Number of elements. |
QRadar.Reference.TimeoutType | string | Reference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN |
#
Command Example!qradar-delete-reference-set-value ref_name=Date value=1543318463000
#
Context Example#
Human Readable Output#
Element value was deleted successfully in reference set:
CreationTime ElementType Name NumberOfElements TimeoutType 2020-09-02T08:12:49.020000Z DATE Date 0 UNKNOWN
#
qradar-get-domainsRetrieve all Domains
#
Base Commandqradar-get-domains
#
InputArgument Name | Description | Required |
---|---|---|
fields | If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-note_id-GET.html | Optional |
range | Number of results in return | Optional |
filter | Query to filter offenses | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Domains.AssetScannerIDs | Number | Array of Asset Scanner IDs. |
QRadar.Domains.CustomProperties | String | Custom properties of the domain. |
QRadar.Domains.Deleted | Boolean | Indicates if the domain is deleted. |
QRadar.Domains.Description | String | Description of the domain. |
QRadar.Domains.EventCollectorIDs | Number | Array of Event Collector IDs. |
QRadar.Domains.FlowCollectorIDs | Number | Array of Flow Collector IDs. |
QRadar.Domains.FlowSourceIDs | Number | Array of Flow Source IDs. |
QRadar.Domains.ID | Number | ID of the domain. |
QRadar.Domains.LogSourceGroupIDs | Number | Array of Log Source Group IDs. |
QRadar.Domains.LogSourceIDs | Number | Array of Log Source IDs. |
QRadar.Domains.Name | String | Name of the Domain. |
QRadar.Domains.QVMScannerIDs | Number | Array of QVM Scanner IDs. |
QRadar.Domains.TenantID | Number | ID of the Domain tenant. |
#
Command Example!qradar-get-domains
#
Context Example#
Human Readable Output#
Domains Found
AssetScannerIDs CustomProperties Deleted Description EventCollectorIDs FlowCollectorIDs FlowSourceIDs ID LogSourceGroupIDs LogSourceIDs Name QVMScannerIDs TenantID false 0 0 true 1 QRadarWhiteListIP 0
#
qradar-get-domain-by-idRetrieves Domain information By ID
#
Base Commandqradar-get-domain-by-id
#
InputArgument Name | Description | Required |
---|---|---|
id | ID of the domain | Required |
fields | If used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-note_id-GET.html | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Domains.AssetScannerIDs | Number | Array of Asset Scanner IDs. |
QRadar.Domains.CustomProperties | String | Custom properties of the domain. |
QRadar.Domains.Deleted | Boolean | Indicates if the domain is deleted. |
QRadar.Domains.Description | String | Description of the domain. |
QRadar.Domains.EventCollectorIDs | Number | Array of Event Collector IDs. |
QRadar.Domains.FlowCollectorIDs | Number | Array of Flow Collector IDs. |
QRadar.Domains.FlowSourceIDs | Number | Array of Flow Source IDs. |
QRadar.Domains.ID | Number | ID of the domain. |
QRadar.Domains.LogSourceGroupIDs | Number | Array of Log Source Group IDs. |
QRadar.Domains.LogSourceIDs | Number | Array of Log Source IDs. |
QRadar.Domains.Name | String | Name of the Domain. |
QRadar.Domains.QVMScannerIDs | Number | Array of QVM Scanner IDs. |
QRadar.Domains.TenantID | Number | ID of the Domain tenant. |
#
Command Example!qradar-get-domain-by-id id=0
#
Context Example#
Human Readable Output#
Domains Found
Deleted ID TenantID false 0 0
#
qradar-upload-indicatorsUploads indicators from Cortex XSOAR to Qradar.
#
Base Commandqradar-upload-indicators
#
InputArgument Name | Description | Required |
---|---|---|
ref_name | The name of the reference set to add or update a value in. To create a new reference set, you need to set the element type. | Required |
element_type | The element type for the values premitted in the reference set. Only required when creating a new reference set. The valid values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE. Note that date values need to be represented in milliseconds since the Unix Epoch January 1st 1970. | Optional |
timeout_type | The timeout_type can be "FIRST_SEEN", "LAST_SEEN", or "UNKNOWN". The default value is UNKNOWN. Only required for creating a new refernce set. | Optional |
time_to_live | The time to live interval, for example: "1 month" or "5 minutes". Only required when creating a new reference set. | Optional |
query | The query for getting indicators. | Required |
limit | The maximum number of indicators to return. The default value is 1000. | Optional |
page | The page from which to get the indicators | Optional |
#
Context OutputThere is no context output for this command.
#
Command Example!qradar-upload-indicators query=type:IP ref_name="XSOAR IP Indicators"
#
Context Example#
Human Readable Output#
reference set XSOAR IP Indicators was updated
Name ElementType TimeoutType CreationTime NumberOfElements XSOAR IP Indicators ALNIC UNKNOWN 2020-09-02T06:59:41.266000Z 276 #
Indicators list
Value Type 8.8.8.8 IP
#
qradar-reset-last-runReset fetch incidents last run value, which resets the fetch to its initial fetch state (will try to fetch first available offense).
#
Base Commandqradar-reset-last-run
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.
#
Command Example!qradar-reset-last-run
#
Context Example#
Human Readable Outputfetch-incidents was reset successfully.
#
get-mapping-fieldsReturns the list of fields for an incident type. This command is for debugging purposes.
#
Base Commandget-mapping-fields
#
InputThere are no input arguments for this command.
#
Context OutputThere is no context output for this command.
#
qradar-get-custom-propertiesRetrieves a list of event regex properties.
#
Base Commandqradar-get-custom-properties
#
InputArgument Name | Description | Required |
---|---|---|
limit | The maximum number of regex event properties to fetch. Default is 25. | Optional |
field_name | A comma-separated list of names of exact properties to search for. | Optional |
fields | A comma-separated list of fields that specifies the fields returned by the command output. When not given, will return all. Options are identifier, name, id, locale, datetime_format, description, username, property_type, auto_discovered, use_for_rule_engine. | Optional |
like_name | A comma-separated names of a properties to search for. Case insensitive. | Optional |
filter | This parameter is used to restrict the elements in a list base on the contents of various fields. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
QRadar.Properties.auto_discovered | Number | The flag to indicate if the event regex property is generated by custom properties discovery engine. |
QRadar.Properties.creation_date | Date | The date when the event regex property was created. |
QRadar.Properties.datetime_format | String | The date/time pattern that the event regex property matches. |
QRadar.Properties.description | String | The description of the event regex property. |
QRadar.Properties.id | Number | The sequence ID of the event regex property. |
QRadar.Properties.identifier | String | The ID of the event regex property. |
QRadar.Properties.locale | String | The language tag of the locale that the Property matches. |
QRadar.Properties.modification_date | Date | The date when the event regex property was last modified. |
QRadar.Properties.name | String | The name of the event regex property. |
QRadar.Properties.property_type | String | The property type (STRING, NUMERIC, IP, PORT, TIME) of event regex property. |
QRadar.Properties.use_for_rule_engine | Number | The flag to indicate if the event regex property is parsed when the event is received. |
QRadar.Properties.username | String | The owner of the event regex property. |
#
Command Example!qradar-get-custom-properties field_name="AVT-App-Name" like_name="rule" limit=2
#
Context Example#
Human Readable Output#
QRadar: Custom Properties:
auto_discovered creation_date description id identifier modification_date name property_type use_for_rule_engine username false 2012-07-04 17:05:02 213 DEFAULT_ACF2_RULE_KEY 2012-07-04 17:05:02 ACF2 rule key string true admin false 2012-07-04 17:05:02 Rule name why Parity Agent blocked an access to a file. 222 DEFAULT_RULE_NAME 2012-07-04 17:05:02 Rule Name string true admin