Skip to main content

IBM QRadar v2 (Deprecated)

This Integration is part of the IBM QRadar Pack.#

Deprecated

Use the IBM QRadar v3 integration instead.

Fetch offenses as incidents and search QRadar. Supports API versions until 10.0. This integration was integrated and tested with version 7.3.2 of QRadar.

Configure QRadar v2 in Cortex#

ParameterDescriptionRequired
serverServer URL (e.g. https://8.8.8.8)True
credentialsUsername / API Key (see '?')False
queryQuery to fetch offensesFalse
offenses_per_fetchNumber of offenses to pull per API call (max 50)False
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
Long running instanceFetches incidentsFalse
incidentTypeIncident typeFalse
full_enrichFull Incident EnrichmentFalse
longRunningLong running instanceFalse
events_columnsEvent columns to return from the events queryFalse
fetch_modeFetch modeTrue
events_limitMax number of events per incidentFalse
adv_paramsAdvanced ParametersFalse

Troubleshooting#

This section provides information for troubleshooting performance and fetching issues.

Performance Issues#

In some cases, you might encounter performance issues when running QRadar AQL queries from Cortex XSOAR. This issue is caused by QRadar API limitations. We recommend that you test the QRadar API performance by running several cURL scripts.

1. Creating a search#

Run the following command to use the QRadar API to create a new search.Save the QUERY ID that is attached to the response for the next step.

curl -H "SEC: <API KEY>" -X POST <QRADAR INSTANCE>/api/ariel/searches?query_expression=<QUERY IN URL SAFE ENCODING>

2. Check if the search status is Complete or Executing#

Use the following command to use the QRadar API to check the query status (EXECUTE, COMPLETED, or ERROR).

curl -H "SEC: <API KEY>" -X GET <QRADAR INSTANCE>/api/ariel/searches?<QUERY ID>

Fetching Issues#

If the integration fails to fetch with on a Docker timeout error and the enrichment is enabled within the integration configuration, the cause might be releated to a permissions issue with the enrichment.

Adding the following advanced parameter might resolve this issue: DOMAIN_ENRCH_FLG=False

Using API Token authentication#

In order to use the integration with an API token you'll first need to change the Username / API Key (see '?') field to _api_token_key. Following this step, you can now enter the API Token into the Password field - this value will be used as an API key.

Fetch incidents#

To start fetching incidents, enable the parameter Long running instance - this will start a long running process that'll fetch incidents periodically. Depending on the system load, the initial fetch might take a long time.

Field (Schema) Mapping#

The scheme is divided to 4 sections. Offense (root), Events: Builtins, Events: Custom Fields, and Assets. For more details, see the Classification & Mapping documentation.

Query to fetch offenses#

You can apply additional (optional) filters for the fetch-incident query using the Query to fetch offenses integration parameter. For more information on how to use the filter syntax, see the QRadar filter documentation and QRadar offense documentation.

  • Incident IP Enrichment - When enabled, fetched incidents IP values (local source addresses and local destination addresses) will be fetched from QRadar instead of their ID values.
  • Incident Asset Enrichment - When enabled, fetched offenses will also contain correlated assets.

Reset the "last run" timestamp#

To reset fetch incidents, run qradar-reset-last-run - this will reset the fetch to its initial state (will try to fetch first available offense). Please Note: It is recommended to disable and then enable the QRadar instance for the reset to take effect immediately.

Required Permissions#

  • Assets - Vulnerability Management or Assets
  • Domains - Admin
  • Offenses (Manage Closing Reason) - Manage Offense Closing Reasons
  • Offenses (Assign Offenses to Users) - Assign Offenses to Users
  • Offenses (Read) - Offenses
  • References (Create/Update) - admin
  • References (Read) - View Reference Data

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

qradar-offenses#


Gets offenses from QRadar

Base Command#

qradar-offenses

Input#

Argument NameDescriptionRequired
filterQuery to filter offenses. For reference please consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.htmlOptional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-GET.htmlOptional
rangeRange of results to return. e.g.: 0-20Optional
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional

Context Output#

PathTypeDescription
QRadar.Offense.FollowupbooleanOffense followup.
QRadar.Offense.IDnumberThe ID of the offense.
QRadar.Offense.DescriptionstringThe description of the offense.
QRadar.Offense.SourceAddressUnknownThe source addresses that are associated with the offense.
QRadar.Offense.DestinationAddressUnknownThe local destination addresses that are associated with the offense. If your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip
QRadar.Offense.RemoteDestinationCountUnknownThe remote destination that are associated with the offesne. If this value is greater than 0 that means your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip
QRadar.Offense.StartTimedateThe time (ISO) when the offense was started.
QRadar.Offense.EventCountnumberThe number of events that are associated with the offense.
QRadar.Offense.MagnitudenumberThe magnitude of the offense.
QRadar.Offense.LastUpdatedTimedateThe time (ISO) when the offense was last updated.
QRadar.Offense.OffenseTypestringThe offense type (due to API limitations if username and password were not provided, this value will be the id of offense type)

Command Example#

!qradar-offenses range=0-1 filter="follow_up=false"

Context Example#

{
"QRadar": {
"Offense": [
{
"Description": "Outbound port scan\n",
"DestinationAddress": [
"8.8.8.8,
],
"EventCount": 22,
"Followup": false,
"ID": 477,
"LastUpdatedTime": "2020-08-04T08:37:49.416000Z",
"Magnitude": 2,
"OffenseType": "Source IP",
"RemoteDestinationCount": 4,
"SourceAddress": [
"8.8.8.8
],
"StartTime": "2020-08-04T08:34:21.690000Z"
},
{
"Description": "Multiple Login Failures for the Same User\n preceded by DJM\n preceded by Port Scan detected\n containing Failure Audit: An account failed to log on\n",
"DestinationAddress": [
"8.8.8.8
],
"EventCount": 15,
"Followup": false,
"ID": 476,
"LastUpdatedTime": "2020-08-04T08:37:57.209000Z",
"Magnitude": 1,
"OffenseType": "Username",
"RemoteDestinationCount": 0,
"SourceAddress": [
"8.8.8.8
],
"StartTime": "2020-08-04T08:36:57.209000Z"
}
]
}
}

Human Readable Output#

QRadar offenses#

IDDescriptionFollowupSourceAddressDestinationAddressRemoteDestinationCountStartTimeEventCountMagnitudeLastUpdatedTimeOffenseType
477Outbound port scan
false8.8.8.88.8.8.8
8.8.8.8
8.8.8.8
42020-08-04T08:34:21.690000Z2222020-08-04T08:37:49.416000ZSource IP
476Multiple Login Failures for the Same User
preceded by DJM
preceded by Port Scan detected
containing Failure Audit: An account failed to log on
false::1,
8.8.8.8
8.8.8.802020-08-04T08:36:57.209000Z1512020-08-04T08:37:57.209000ZUsername

qradar-offense-by-id#


Gets offense with matching offense ID from qradar

Base Command#

qradar-offense-by-id

Input#

Argument NameDescriptionRequired
offense_idOffense IDRequired
filterQuery to filter offense. For refernce please consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.htmlOptional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-GET.htmlOptional
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional

Context Output#

PathTypeDescription
QRadar.Offense.CredibilitynumberThe credibility of the offense
QRadar.Offense.RelevancenumberThe relevance of the offense
QRadar.Offense.SeveritynumberThe severity of the offense
QRadar.Offense.SourceAddressUnknownThe source addresses that are associated with the offense.
QRadar.Offense.DestinationAddressUnknownThe local destination addresses that are associated with the offense. If your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip
QRadar.Offense.RemoteDestinationCountUnknownThe remote destination that are associated with the offesne. If this value is greater than 0 that means your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip
QRadar.Offense.AssignedTostringThe user the offense is assigned to.
QRadar.Offense.StartTimedateThe time (ISO) when the offense was started.
QRadar.Offense.IDintThe ID of the offense.
QRadar.Offense.DestinationHostnameUnknownDestintion hostname
QRadar.Offense.DescriptionstringThe description of the offense.
QRadar.Offense.EventCountnumberThe number of events that are associated with the offense.
QRadar.Offense.OffenseSourcestringThe source of the offense.
QRadar.Offense.StatusstringThe status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
QRadar.Offense.MagnitudenumberThe magnitude of the offense.
QRadar.Offense.ClosingUserstringThe user that closed the offense
QRadar.Offense.ClosingReasonstringThe offense closing reason.
QRadar.Offense.CloseTimedateThe time when the offense was closed.
QRadar.Offense.LastUpdatedTimedateThe time (ISO) when the offense was last updated.
QRadar.Offense.CategoriesUnknownEvent categories that are associated with the offense.
QRadar.Offense.FlowCountnumberThe number of flows that are associated with the offense.
QRadar.Offense.FollowUpbooleanOffense followup.
QRadar.Offense.OffenseTypestringA number that represents the offense type
QRadar.Offense.ProtectedbooleanIs the offense protected

Command Example#

!qradar-offense-by-id offense_id=450

Context Example#

{
"QRadar": {
"Offense": {
"Categories": [
"Firewall Session Closed",
"Host Port Scan"
],
"Credibility": 3,
"Description": "Outbound port scan\n",
"DestinationAddress": [
"8.8.8.8
],
"DestinationHostname": [
"Net-10-172-192.Net_10_0_0_0"
],
"EventCount": 5,
"FlowCount": 0,
"Followup": false,
"ID": 450,
"LastUpdatedTime": "2020-07-22T14:45:39.082000Z",
"Magnitude": 2,
"OffenseSource": "8.8.8.8,
"OffenseType": "Source IP",
"Protected": false,
"Relevance": 0,
"RemoteDestinationCount": 0,
"Severity": 5,
"SourceAddress": [
"8.8.8.8
],
"StartTime": "2020-07-22T14:40:43.870000Z",
"Status": "OPEN"
}
}
}

Human Readable Output#

QRadar Offenses#

CategoriesCredibilityDescriptionDestinationAddressDestinationHostnameEventCountFlowCountFollowupIDLastUpdatedTimeMagnitudeOffenseSourceOffenseTypeProtectedRelevanceRemoteDestinationCountSeveritySourceAddressStartTimeStatus
Firewall Session Closed,
Host Port Scan
3Outbound port scan
8.8.8.8Net-10-172-192.Net_10_0_0_050false4502020-07-22T14:45:39.082000Z28.8.8.8Source IPfalse0058.8.8.82020-07-22T14:40:43.870000ZOPEN

qradar-searches#


Searches in QRadar using AQL. It is highly recommended to use the playbook 'QRadarFullSearch' instead of this command - it will execute the search, and will return the result.

Base Command#

qradar-searches

Input#

Argument NameDescriptionRequired
query_expressionThe query expressions in AQL (for more information about Ariel Query Language please review: https://www.ibm.com/docs/en/qsip/7.3.2?topic=qradar-ariel-query-language-aql )Required
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional

Context Output#

PathTypeDescription
QRadar.Search.IDnumberSearch ID
QRadar.Search.StatusstringThe status of the search.

Command Example#

!qradar-searches query_expression="SELECT sourceip AS 'MY Source IPs' FROM events"

Context Example#

{
"QRadar": {
"Search": {
"ID": "ddd8ef78-4bff-4453-ab10-24f0fe1fa763",
"Status": "WAIT"
}
}
}

Human Readable Output#

QRadar Search#

IDStatus
ddd8ef78-4bff-4453-ab10-24f0fe1fa763WAIT

qradar-get-search#


Gets a specific search id and status

Base Command#

qradar-get-search

Input#

Argument NameDescriptionRequired
search_idThe search idRequired
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional

Context Output#

PathTypeDescription
QRadar.Search.IDnumberSearch ID
QRadar.Search.StatusstringThe status of the search.

Command Example#

!qradar-get-search search_id=6212b614-074e-41c1-8fcf-1492834576b8

Context Example#

{
"QRadar": {
"Search": {
"ID": "6212b614-074e-41c1-8fcf-1492834576b8",
"Status": "COMPLETED"
}
}
}

Human Readable Output#

QRadar Search Info#

IDStatus
6212b614-074e-41c1-8fcf-1492834576b8COMPLETED

qradar-get-search-results#


Gets search results

Base Command#

qradar-get-search-results

Input#

Argument NameDescriptionRequired
search_idThe search idRequired
rangeRange of results to return. e.g.: 0-20Optional
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional
output_pathReplaces the default context output path for the query result (QRadar.Search.Result). e.g. for output_path=QRadar.Correlations the result will be under the key "QRadar.Correlations" in the context data.Optional

Context Output#

PathTypeDescription
QRadar.Search.ResultUnknownThe result of the search

Command Example#

!qradar-get-search-results search_id=6212b614-074e-41c1-8fcf-1492834576b8

Context Example#

{
"QRadar": {
"Search": {
"Result": {
"events": [
{
"MY Source IPs": "8.8.8.8
}
]
}
}
}
}

Human Readable Output#

QRadar Search Results from events#

MY Source IPs
8.8.8.8

qradar-update-offense#


Update an offense

Base Command#

qradar-update-offense

Input#

Argument NameDescriptionRequired
offense_idThe ID of the offense to updateRequired
protectedSet to true to protect the offenseOptional
follow_upSet to true to set the follow up flag on the offenseOptional
statusThe new status for the offenseOptional
closing_reason_idThe id of a closing reason. You must provide a valid closing_reason_name when you close an offense. The default closing_reasons are: (1) False-Positive, Tuned (2) Non-Issues (3) Policy ViolationOptional
closing_reason_nameThe name of a closing reason. You must provide a valid closing_reason_name when you close an offense. The default closing_reasons are: (1) False-Positive, Tuned (2) Non-Issues (3) Policy ViolationOptional
assigned_toA user to assign the offense toOptional
fieldsUse this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. Please consult - https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-POST.htmlOptional

Context Output#

PathTypeDescription
QRadar.Offense.CredibilitynumberThe credibility of the offense
QRadar.Offense.RelevancenumberThe relevance of the offense
QRadar.Offense.SeveritynumberThe severity of the offense
QRadar.Offense.SourceAddressUnknownThe source addresses that are associated with the offense.
QRadar.Offense.DestinationAddressUnknownThe destination addresses that are associated with the offense.
QRadar.Offense.AssignedTostringThe user the offense is assigned to.
QRadar.Offense.StartTimedateThe time (ISO) when the offense was started.
QRadar.Offense.IDintThe ID of the offense.
QRadar.Offense.DestinationHostnameUnknownDestintion hostname
QRadar.Offense.DescriptionstringThe description of the offense.
QRadar.Offense.EventCountnumberThe number of events that are associated with the offense.
QRadar.Offense.OffenseSourcestringThe source of the offense.
QRadar.Offense.StatusstringThe status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
QRadar.Offense.MagnitudenumberThe magnitude of the offense.
QRadar.Offense.ClosingUserstringThe user that closed the offense
QRadar.Offense.ClosingReasonstringThe offense closing reason.
QRadar.Offense.CloseTimedateThe time when the offense was closed.
QRadar.Offense.LastUpdatedTimedateThe time (ISO) when the offense was last updated.
QRadar.Offense.CategoriesUnknownEvent categories that are associated with the offense.
QRadar.Offense.FlowCountnumberThe number of flows that are associated with the offense.
QRadar.Offense.FollowUpbooleanOffense followup.
QRadar.Offense.OffenseTypestringA number that represents the offense type
QRadar.Offense.ProtectedbooleanIs the offense protected

Command Example#

!qradar-update-offense offense_id=450 protected=false

Context Example#

{
"QRadar": {
"Offense": {
"Categories": [
"Firewall Session Closed",
"Host Port Scan"
],
"Credibility": 3,
"Description": "Outbound port scan\n",
"DestinationAddress": [
"8.8.8.8
],
"DestinationHostname": [
"Net-10-172-192.Net_10_0_0_0"
],
"EventCount": 5,
"FlowCount": 0,
"Followup": false,
"ID": 450,
"LastUpdatedTime": "2020-07-22T14:45:39.082000Z",
"Magnitude": 2,
"OffenseSource": "8.8.8.8,
"OffenseType": "Source IP",
"Protected": false,
"Relevance": 0,
"RemoteDestinationCount": 0,
"Severity": 5,
"SourceAddress": [
"8.8.8.8
],
"StartTime": "2020-07-22T14:40:43.870000Z",
"Status": "OPEN"
}
}
}

Human Readable Output#

QRadar Offense#

CategoriesCredibilityDescriptionDestinationAddressDestinationHostnameEventCountFlowCountFollowupIDLastUpdatedTimeMagnitudeOffenseSourceOffenseTypeProtectedRelevanceRemoteDestinationCountSeveritySourceAddressStartTimeStatus
Firewall Session Closed,
Host Port Scan
3Outbound port scan
8.8.8.8Net-10-172-192.Net_10_0_0_050false4502020-07-22T14:45:39.082000Z28.8.8.8Source IPfalse0058.8.8.82020-07-22T14:40:43.870000ZOPEN

qradar-get-assets#


List all assets found in the model

Base Command#

qradar-get-assets

Input#

Argument NameDescriptionRequired
filterQuery to filter assets. For refernce please consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.htmlOptional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--asset_model-assets-GET.htmlOptional
rangeRange of results to return. e.g.: 0-20Optional
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional

Context Output#

PathTypeDescription
QRadar.Assets.IDnumberThe ID of the asset
Endpoint.IPAddressUnknownIP address of the asset
QRadar.Assets.Name.ValuestringName of the asset
Endpoint.OSnumberAsset OS
QRadar.Assets.AggregatedCVSSScore.ValuenumberCVSSScore
QRadar.Assets.AggregatedCVSSScore.LastUserstringLast user who updated the Aggregated CVSS Score
QRadar.Assets.Weight.ValuenumberAsset weight
QRadar.Assets.Weight.LastUserstringLast user who updated the weight
QRadar.Assets.Name.LastUserstringLast user who updated the name

Command Example#

!qradar-get-assets range=0-1

Context Example#

{
"Endpoint": {
"IPAddress": [
"8.8.8.8,
"8.8.8.8
]
},
"QRadar": {
"Asset": [
{
"ID": 1914,
"Name": {
"LastUser": "IDENTITY:0",
"Property Name": "Name",
"Value": "ec2.us.compute-1.amazonaws.com"
}
},
{
"ID": 1928,
"Name": {
"LastUser": "IDENTITY:0",
"Property Name": "Name",
"Value": "ec2.us.compute-1.amazonaws.com"
}
}
]
}
}

Human Readable Output#

QRadar Assets#

Asset(ID:1914)#

LastUserProperty NameValue
IDENTITY:0Nameec2.us.compute-1.amazonaws.com

Asset(ID:1928)#

LastUserProperty NameValue
IDENTITY:0Nameec2.us.compute-1.amazonaws.com

Endpoint#

IPAddress
8.8.8.8
8.8.8.8

qradar-get-asset-by-id#


Retrieves the asset by id

Base Command#

qradar-get-asset-by-id

Input#

Argument NameDescriptionRequired
asset_idThe ID of the requested asset.Required

Context Output#

PathTypeDescription
QRadar.Assets.IDnumberThe ID of the asset.
Endpoint.MACAddressUnknownAsset MAC address.
Endpoint.IPAddressUnknownIt's in ip_addresses - value
QRadar.Assets.ComplianceNotes.ValuestringCompliance notes
QRadar.Assets.CompliancePlan.ValuestringCompliance plan
QRadar.Assets.CollateralDamagePotential.ValueUnknownCollateral damage potential
QRadar.Assets.AggregatedCVSSScore.ValuenumberCVSSScore
QRadar.Assets.Name.ValuestringName of the asset
QRadar.Assets.GroupNamestringName of the asset's group
Endpoint.DomainUnknownDNS name
Endpoint.OSUnknownAsset OS
QRadar.Assets.Weight.ValuenumberAsset weight
QRadar.Assets.Vulnerabilities.ValueUnknownVulnerabilities
QRadar.Assets.LocationstringLocation.
QRadar.Assets.DescriptionstringThe asset description.
QRadar.Assets.SwitchIDnumberSwitch ID
QRadar.Assets.SwitchPortnumberSwitch port.
QRadar.Assets.Name.LastUserstringLast user who updated the name
QRadar.Assets.AggregatedCVSSScore.LastUserstringLast user who updated the Aggregated CVSS Score
QRadar.Assets.Weight.LastUserstringLast user who updated the weight
QRadar.Assets.ComplianceNotes.LastUserstringLast user who updated the compliance notes
QRadar.Assets.CompliancePlan.LastUserstringLast user who updated the compliance plan
QRadar.Assets.CollateralDamagePotential.LastUserstringLast user who updated the collateral damage potential
QRadar.Assets.Vulnerabilities.LastUserstringLast user who updated the vulnerabilities

Command Example#

!qradar-get-asset-by-id asset_id=1928

Context Example#

{
"Endpoint": {
"IPAddress": [
"8.8.8.8
],
"MACAddress": [
"Unknown NIC"
]
},
"QRadar": {
"Asset": {
"ID": 1928,
"Name": {
"LastUser": "IDENTITY:0",
"Property Name": "Name",
"Value": "ec2.us.compute-1.amazonaws.com"
}
}
}
}

Human Readable Output#

QRadar Asset#

Asset(ID:1928)#

LastUserProperty NameValue
IDENTITY:0Nameec2.us.compute-1.amazonaws.com

Endpoint#

IPAddressMACAddress
8.8.8.8Unknown NIC

qradar-get-closing-reasons#


Get closing reasons

Base Command#

qradar-get-closing-reasons

Input#

Argument NameDescriptionRequired
include_reservedIf true, reserved closing reasons are included in the responseOptional
include_deletedIf true, deleted closing reasons are included in the responseOptional
filterQuery to filter results. For refernce please consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.htmlOptional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offense_closing_reasons-GET.htmlOptional
rangeRange of results to return. e.g.: 0-20Optional

Context Output#

PathTypeDescription
QRadar.Offense.ClosingReasons.IDnumberClosing reason ID
QRadar.Offense.ClosingReasons.NamestringClosing reason name

Command Example#

!qradar-get-closing-reasons include_reserved=false

Context Example#

{
"QRadar": {
"Offense": {
"ClosingReasons": [
{
"ID": 2,
"IsDeleted": false,
"IsReserved": false,
"Name": "False-Positive, Tuned"
},
{
"ID": 1,
"IsDeleted": false,
"IsReserved": false,
"Name": "Non-Issue"
},
{
"ID": 3,
"IsDeleted": false,
"IsReserved": false,
"Name": "Policy Violation"
}
]
}
}
}

Human Readable Output#

Offense Closing Reasons#

IDNameIsReservedIsDeleted
2False-Positive, Tunedfalsefalse
1Non-Issuefalsefalse
3Policy Violationfalsefalse

qradar-create-note#


Create a note on an offense

Base Command#

qradar-create-note

Input#

Argument NameDescriptionRequired
offense_idThe offense ID to add the note toRequired
note_textThe note textRequired
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-POST.htmlOptional
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional

Context Output#

PathTypeDescription
QRadar.Note.IDnumberNote ID
QRadar.Note.TextstringNote text
QRadar.Note.CreateTimedateThe creation time of the note
QRadar.Note.CreatedBystringThe user who created the note

Command Example#

!qradar-create-note offense_id=450 note_text="XSOAR has the best documentation!"

Context Example#

{
"QRadar": {
"Note": {
"CreateTime": "2020-09-02T08:12:47.314000Z",
"CreatedBy": "API_user: admin",
"ID": 1238,
"Text": "XSOAR has the best documentation!"
}
}
}

Human Readable Output#

QRadar Note#

CreateTimeCreatedByIDText
2020-09-02T08:12:47.314000ZAPI_user: admin1238XSOAR has the best documentation!

qradar-get-note#


Retrieve a note for an offense

Base Command#

qradar-get-note

Input#

Argument NameDescriptionRequired
offense_idThe offense ID to retrieve the note fromRequired
note_idThe note IDOptional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-note_id-GET.htmlOptional
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional

Context Output#

PathTypeDescription
QRadar.Note.IDnumberNote ID
QRadar.Note.TextstringNote text
QRadar.Note.CreateTimedateThe creation time of the note
QRadar.Note.CreatedBystringThe user who created the note

Command Example#

!qradar-get-note offense_id=450 note_id=1232

Context Example#

{
"QRadar": {
"Note": {
"CreateTime": "2020-09-02T06:39:24.601000Z",
"CreatedBy": "API_user: admin",
"ID": 1232,
"Text": "XSOAR has the best documentation!"
}
}
}

Human Readable Output#

QRadar note for offense: 450#

CreateTimeCreatedByIDText
2020-09-02T06:39:24.601000ZAPI_user: admin1232XSOAR has the best documentation!

qradar-get-reference-by-name#


Information about the reference set that had data added or updated. This returns information set but not the contained data. This feature is supported from version 8.1 and upward.

Base Command#

qradar-get-reference-by-name

Input#

Argument NameDescriptionRequired
ref_nameThe name of the requestered reference.Required
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional
date_valueIf set to true will try to convert the data values to ISO-8601 string.Optional

Context Output#

PathTypeDescription
QRadar.Reference.NamestringThe name of the reference set.
QRadar.Reference.CreationTimedateThe creation time (ISO) of the reference.
QRadar.Reference.ElementTypestringReference element type.
QRadar.Reference.NumberOfElementsnumberNumber of elements.
QRadar.Reference.TimeToLivestringReference time to live.
QRadar.Reference.TimeoutTypestringReference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN
QRadar.Reference.DataUnknownReference set items

Command Example#

!qradar-get-reference-by-name ref_name=Date date_value=True

Context Example#

{
"QRadar": {
"Reference": {
"CreationTime": "2020-09-02T08:12:49.020000Z",
"ElementType": "DATE",
"Name": "Date",
"NumberOfElements": 0,
"TimeoutType": "UNKNOWN"
}
}
}

Human Readable Output#

QRadar References#

CreationTimeElementTypeNameNumberOfElementsTimeoutType
2020-09-02T08:12:49.020000ZDATEDate0UNKNOWN

qradar-create-reference-set#


Creates a new reference set. If the provided name is already in use, this command will fail

Base Command#

qradar-create-reference-set

Input#

Argument NameDescriptionRequired
ref_nameReference name to be createdRequired
element_typeThe element type for the values allowed in the reference set. The allowed values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE. Note that date values need to be represented in milliseconds since the Unix Epoch January 1st 1970.Required
timeout_typeThe allowed values are "FIRST_SEEN", LAST_SEEN and UNKNOWN. The default value is UNKNOWN.Optional
time_to_liveThe time to live interval, for example: "1 month" or "5 minutes"Optional

Context Output#

PathTypeDescription
QRadar.Reference.CreationTimedateCreation time of the reference set.
QRadar.Reference.ElementTypestringThe element type for the values allowed in the reference set. The allowed values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE.
QRadar.Reference.NamestringName of the reference set.
QRadar.Reference.NumberOfElementsnumberNumber of elements in the created reference set.
QRadar.Reference.TimeoutTypestringTimeout type of the reference. The allowed values are FIRST_SEEN, LAST_SEEN and UNKNOWN.

Command Example#

!qradar-create-reference-set ref_name=Date element_type=DATE

Context Example#

{
"QRadar": {
"Reference": {
"CreationTime": "2020-09-02T08:12:49.020000Z",
"ElementType": "DATE",
"Name": "Date",
"NumberOfElements": 0,
"TimeoutType": "UNKNOWN"
}
}
}

Human Readable Output#

QRadar References#

CreationTimeElementTypeNameNumberOfElementsTimeoutType
2020-09-02T08:12:49.020000ZDATEDate0UNKNOWN

qradar-delete-reference-set#


Deletes a reference set corresponding to the name provided.

Base Command#

qradar-delete-reference-set

Input#

Argument NameDescriptionRequired
ref_nameThe name of reference set to delete.Required

Context Output#

There is no context output for this command.

Command Example#

!qradar-delete-reference-set ref_name=Date

Context Example#

{}

Human Readable Output#

Reference Data Deletion Task for 'Date' was initiated. Reference set 'Date' should be deleted shortly.

qradar-create-reference-set-value#


Add or update a value in a reference set.

Base Command#

qradar-create-reference-set-value

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set to add or update a value in.Required
valueThe value/s to add or update in the reference set. Note: Date values must be represented in epoch in reference sets (milliseconds since the Unix Epoch January 1st 1970). If 'date_value' is set to 'True', then the argument will be converted from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch.Required
sourceAn indication of where the data originated. The default value is 'reference data api'.Optional
date_valueIf set to True will convert 'value' argument from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch.Optional

Context Output#

PathTypeDescription
QRadar.Reference.NamestringThe name of the reference set.
QRadar.Reference.CreationTimedateThe creation time (ISO) of the reference.
QRadar.Reference.ElementTypestringReference element type.
QRadar.Reference.NumberOfElementsnumberNumber of elements.
QRadar.Reference.TimeoutTypestringReference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN

Command Example#

!qradar-create-reference-set-value ref_name=Date value=2018-11-27T11:34:23.110000Z date_value=True

Context Example#

{
"QRadar": {
"Reference": {
"CreationTime": "2020-09-02T08:12:49.020000Z",
"ElementType": "DATE",
"Name": "Date",
"NumberOfElements": 1,
"TimeoutType": "UNKNOWN"
}
}
}

Human Readable Output#

Element value was updated successfully in reference set:#

CreationTimeElementTypeNameNumberOfElementsTimeoutType
2020-09-02T08:12:49.020000ZDATEDate1UNKNOWN

qradar-update-reference-set-value#


Adds or updates a value in a reference set.

Base Command#

qradar-update-reference-set-value

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set to add or update a value in.Required
valueA comma-separated list of values to add or update in the reference set. Date values must be represented in milliseconds since the Unix Epoch January 1st 1970.Required
sourceAn indication of where the data originated. The default value is 'reference data api'.Optional
date_valueIf set to True will convert 'value' argument from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch.Optional

Context Output#

PathTypeDescription
QRadar.Reference.NamestringThe name of the reference set.
QRadar.Reference.CreationTimedateThe creation time (ISO) of the reference.
QRadar.Reference.ElementTypestringReference element type.
QRadar.Reference.NumberOfElementsnumberNumber of elements.
QRadar.Reference.TimeoutTypestringReference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN

Command Example#

!qradar-update-reference-set-value ref_name="Documentation Reference" value="Important information" source="Documentation"

Context Example#

{
"QRadar": {
"Reference": {
"CreationTime": "2020-09-02T06:45:52.294000Z",
"ElementType": "ALNIC",
"Name": "Documentation Reference",
"NumberOfElements": 1,
"TimeoutType": "UNKNOWN"
}
}
}

Human Readable Output#

Element value was updated successfully in reference set:#

CreationTimeElementTypeNameNumberOfElementsTimeoutType
2020-09-02T06:45:52.294000ZALNICDocumentation Reference1UNKNOWN

qradar-delete-reference-set-value#


Deletes a value in a reference set.

Base Command#

qradar-delete-reference-set-value

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set to remove a value from.Required
valueThe value to remove from the reference set.Required
date_valueIf set to True will convert 'value' argument from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch.Optional

Context Output#

PathTypeDescription
QRadar.Reference.NamestringThe name of the reference set.
QRadar.Reference.CreationTimedateThe creation time (ISO) of the reference.
QRadar.Reference.ElementTypestringReference element type.
QRadar.Reference.NumberOfElementsnumberNumber of elements.
QRadar.Reference.TimeoutTypestringReference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN

Command Example#

!qradar-delete-reference-set-value ref_name=Date value=1543318463000

Context Example#

{
"QRadar": {
"Reference": {
"CreationTime": "2020-09-02T08:12:49.020000Z",
"ElementType": "DATE",
"Name": "Date",
"NumberOfElements": 0,
"TimeoutType": "UNKNOWN"
}
}
}

Human Readable Output#

Element value was deleted successfully in reference set:#

CreationTimeElementTypeNameNumberOfElementsTimeoutType
2020-09-02T08:12:49.020000ZDATEDate0UNKNOWN

qradar-get-domains#


Retrieve all Domains

Base Command#

qradar-get-domains

Input#

Argument NameDescriptionRequired
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-note_id-GET.htmlOptional
rangeNumber of results in returnOptional
filterQuery to filter offensesOptional

Context Output#

PathTypeDescription
QRadar.Domains.AssetScannerIDsNumberArray of Asset Scanner IDs.
QRadar.Domains.CustomPropertiesStringCustom properties of the domain.
QRadar.Domains.DeletedBooleanIndicates if the domain is deleted.
QRadar.Domains.DescriptionStringDescription of the domain.
QRadar.Domains.EventCollectorIDsNumberArray of Event Collector IDs.
QRadar.Domains.FlowCollectorIDsNumberArray of Flow Collector IDs.
QRadar.Domains.FlowSourceIDsNumberArray of Flow Source IDs.
QRadar.Domains.IDNumberID of the domain.
QRadar.Domains.LogSourceGroupIDsNumberArray of Log Source Group IDs.
QRadar.Domains.LogSourceIDsNumberArray of Log Source IDs.
QRadar.Domains.NameStringName of the Domain.
QRadar.Domains.QVMScannerIDsNumberArray of QVM Scanner IDs.
QRadar.Domains.TenantIDNumberID of the Domain tenant.

Command Example#

!qradar-get-domains

Context Example#

{
"QRadar": {
"Domains": [
{
"Deleted": false,
"ID": 0,
"TenantID": 0
},
{
"Deleted": true,
"ID": 1,
"Name": "QRadarWhiteListIP",
"TenantID": 0
}
]
}
}

Human Readable Output#

Domains Found#

AssetScannerIDsCustomPropertiesDeletedDescriptionEventCollectorIDsFlowCollectorIDsFlowSourceIDsIDLogSourceGroupIDsLogSourceIDsNameQVMScannerIDsTenantID
false00
true1QRadarWhiteListIP0

qradar-get-domain-by-id#


Retrieves Domain information By ID

Base Command#

qradar-get-domain-by-id

Input#

Argument NameDescriptionRequired
idID of the domainRequired
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-note_id-GET.htmlOptional

Context Output#

PathTypeDescription
QRadar.Domains.AssetScannerIDsNumberArray of Asset Scanner IDs.
QRadar.Domains.CustomPropertiesStringCustom properties of the domain.
QRadar.Domains.DeletedBooleanIndicates if the domain is deleted.
QRadar.Domains.DescriptionStringDescription of the domain.
QRadar.Domains.EventCollectorIDsNumberArray of Event Collector IDs.
QRadar.Domains.FlowCollectorIDsNumberArray of Flow Collector IDs.
QRadar.Domains.FlowSourceIDsNumberArray of Flow Source IDs.
QRadar.Domains.IDNumberID of the domain.
QRadar.Domains.LogSourceGroupIDsNumberArray of Log Source Group IDs.
QRadar.Domains.LogSourceIDsNumberArray of Log Source IDs.
QRadar.Domains.NameStringName of the Domain.
QRadar.Domains.QVMScannerIDsNumberArray of QVM Scanner IDs.
QRadar.Domains.TenantIDNumberID of the Domain tenant.

Command Example#

!qradar-get-domain-by-id id=0

Context Example#

{
"QRadar": {
"Domains": {
"Deleted": false,
"ID": 0,
"TenantID": 0
}
}
}

Human Readable Output#

Domains Found#

DeletedIDTenantID
false00

qradar-upload-indicators#


Uploads indicators from Cortex XSOAR to Qradar.

Base Command#

qradar-upload-indicators

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set to add or update a value in. To create a new reference set, you need to set the element type.Required
element_typeThe element type for the values premitted in the reference set. Only required when creating a new reference set. The valid values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE. Note that date values need to be represented in milliseconds since the Unix Epoch January 1st 1970.Optional
timeout_typeThe timeout_type can be "FIRST_SEEN", "LAST_SEEN", or "UNKNOWN". The default value is UNKNOWN. Only required for creating a new refernce set.Optional
time_to_liveThe time to live interval, for example: "1 month" or "5 minutes". Only required when creating a new reference set.Optional
queryThe query for getting indicators.Required
limitThe maximum number of indicators to return. The default value is 1000.Optional
pageThe page from which to get the indicatorsOptional

Context Output#

There is no context output for this command.

Command Example#

!qradar-upload-indicators query=type:IP ref_name="XSOAR IP Indicators"

Context Example#

{}

Human Readable Output#

reference set XSOAR IP Indicators was updated#

NameElementTypeTimeoutTypeCreationTimeNumberOfElements
XSOAR IP IndicatorsALNICUNKNOWN2020-09-02T06:59:41.266000Z276

Indicators list#

ValueType
8.8.8.8IP

qradar-reset-last-run#


Reset fetch incidents last run value, which resets the fetch to its initial fetch state (will try to fetch first available offense).

Base Command#

qradar-reset-last-run

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!qradar-reset-last-run

Context Example#

{}

Human Readable Output#

fetch-incidents was reset successfully.

get-mapping-fields#


Returns the list of fields for an incident type. This command is for debugging purposes.

Base Command#

get-mapping-fields

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

qradar-get-custom-properties#


Retrieves a list of event regex properties.

Base Command#

qradar-get-custom-properties

Input#

Argument NameDescriptionRequired
limitThe maximum number of regex event properties to fetch. Default is 25.Optional
field_nameA comma-separated list of names of exact properties to search for.Optional
fieldsA comma-separated list of fields that specifies the fields returned by the command output. When not given, will return all. Options are identifier, name, id, locale, datetime_format, description, username, property_type, auto_discovered, use_for_rule_engine.Optional
like_nameA comma-separated names of a properties to search for. Case insensitive.Optional
filterThis parameter is used to restrict the elements in a list base on the contents of various fields.Optional

Context Output#

PathTypeDescription
QRadar.Properties.auto_discoveredNumberThe flag to indicate if the event regex property is generated by custom properties discovery engine.
QRadar.Properties.creation_dateDateThe date when the event regex property was created.
QRadar.Properties.datetime_formatStringThe date/time pattern that the event regex property matches.
QRadar.Properties.descriptionStringThe description of the event regex property.
QRadar.Properties.idNumberThe sequence ID of the event regex property.
QRadar.Properties.identifierStringThe ID of the event regex property.
QRadar.Properties.localeStringThe language tag of the locale that the Property matches.
QRadar.Properties.modification_dateDateThe date when the event regex property was last modified.
QRadar.Properties.nameStringThe name of the event regex property.
QRadar.Properties.property_typeStringThe property type (STRING, NUMERIC, IP, PORT, TIME) of event regex property.
QRadar.Properties.use_for_rule_engineNumberThe flag to indicate if the event regex property is parsed when the event is received.
QRadar.Properties.usernameStringThe owner of the event regex property.

Command Example#

!qradar-get-custom-properties field_name="AVT-App-Name" like_name="rule" limit=2

Context Example#

{
"QRadar": {
"Properties": [
{
"auto_discovered": false,
"creation_date": "2012-07-04 17:05:02",
"datetime_format": null,
"description": "",
"id": 213,
"identifier": "DEFAULT_ACF2_RULE_KEY",
"locale": null,
"modification_date": "2012-07-04 17:05:02",
"name": "ACF2 rule key",
"property_type": "string",
"use_for_rule_engine": true,
"username": "admin"
},
{
"auto_discovered": false,
"creation_date": "2012-07-04 17:05:02",
"datetime_format": null,
"description": "Rule name why Parity Agent blocked an access to a file.",
"id": 222,
"identifier": "DEFAULT_RULE_NAME",
"locale": null,
"modification_date": "2012-07-04 17:05:02",
"name": "Rule Name",
"property_type": "string",
"use_for_rule_engine": true,
"username": "admin"
}
]
}
}

Human Readable Output#

QRadar: Custom Properties:#

auto_discoveredcreation_datedescriptionididentifiermodification_datenameproperty_typeuse_for_rule_engineusername
false2012-07-04 17:05:02213DEFAULT_ACF2_RULE_KEY2012-07-04 17:05:02ACF2 rule keystringtrueadmin
false2012-07-04 17:05:02Rule name why Parity Agent blocked an access to a file.222DEFAULT_RULE_NAME2012-07-04 17:05:02Rule Namestringtrueadmin