Skip to main content

IBM QRadar v3

This Integration is part of the IBM QRadar Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

Use the QRadar v3 integration to help security teams quickly and accurately detect and prioritize threats across the enterprise.
This integration was integrated and tested with API versions 10.1-14.0 on QRadar platform 7.4.1 (supports API versions 10.1 and above).

Configure QRadar v3 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for QRadar v3.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URL(e.g., https://192.168.0.1\)True
    UsernameTrue
    QRadar API VersionAPI version of QRadar (e.g., '12.0'). Minimum API version is 10.1.True
    Incident TypeFalse
    Fetch modeTrue
    Retry events fetchWhenever enabled, the integration retries to fetch all events if the number of events fetched is less than event_count. Default number of tries is 3, but can be configured via the Advanced Parameter: EVENTS_SEARCH_TRIES. e.g EVENTS_SEARCH_TRIES=5.False
    Number of offenses to pull per API call (max 50)False
    Query to fetch offenses.Define a query to determine which offenses to fetch. E.g., "severity >= 4 AND id > 5". Filtering by status in the query may result in unexpected behavior when changing an incident's status.False
    First fetch timehow long to look back while fetching incidents on the first fetch (<number> <time unit>, e.g., 12 hours, 7 days)False
    Incidents EnrichmentIPs enrichment transforms IDs of the IPs of the offense to IP values. Asset enrichment adds correlated assets to the fetched offenses.True
    Incidents EnrichmentIP enrichment transforms IDs of the IPs of the offense to IP values. Asset enrichment adds correlated assets to the fetched offenses.True
    Event fields to return from the events query (WARNING: This parameter is correlated to the incoming mapper and changing the values may adversely affect mapping).The parameter uses the AQL SELECT syntax. For more information, see: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.4/com.ibm.qradar.doc/c_aql_intro.htmlFalse
    Mirroring OptionsHow mirroring from QRadar to Cortex XSOAR should be done.False
    Close Mirrored XSOAR IncidentWhen selected, closing the QRadar offense is mirrored in Cortex XSOAR. Can't be used with "status=OPEN" query.False
    The number of incoming incidents to mirror each timeMaximum number of incoming incidents to mirror each time.False
    Advanced ParametersComma-separated configuration for advanced parameter values. E.g., EVENTS_INTERVAL_SECS=20,FETCH_SLEEP=5False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Required Permissions#

ComponentPermission
AssetsVulnerability Management or Assets
DomainsAdmin
Offenses (Manage Closing Reason)Manage Offense Closing Reasons
Offenses (Assign Offenses to Users)Assign Offenses to Users
Offenses (Read)Offenses
References (Create/Update)Admin
References (Read)View Reference Data

Mapping Limitation for Cortex XSOAR Versions below 6.0.0#

The Pull from instance option to create a new mapper is not supported in Cortex XSOAR versions below 6.0.0.

Creating a Classifier Using the Pull from instance Parameter#

QRadar fetches incidents using a long-running execution, not in real time. Therefore, Pull from instance pulls incidents from the QRadar service to create a classifier using samples, not real time data. This results in seeing the latest sample stored, and not the latest offense that was fetched.

Important Note Regarding the Query to fetch offenses Parameter#

The Query to fetch offenses feature enables defining a specific query for offenses to be retrieved, e.g., 'status = OPEN and id = 5'. The QRadar integration keeps track of IDs that have already been fetched in order to avoid duplicate fetching.
If you change the Query to fetch offenses value, it will not re-fetch offenses that have already been fetched. To re-fetch those offenses, run the qradar-reset-last-run command.
Note:
The list of QRadar IDs that were already fetched will be reset and duplicate offenses could be re-fetched, depending on the user query.

Migration from QRadar v2 to QRadar v3#

Every command and playbook that runs in QRadar v2 also runs in QRadar v3. No adjustments are required.

Additions and Changes from QRadar v2 to QRadar v3#

New Commands#

  • qradar-rule-groups-list
  • qradar-searches-list
  • qradar-geolocations-for-ip
  • qradar-log-sources-list
  • qradar-upload-indicators
  • get-modified-remote-data

Command Name Changes#

QRadar v2 commandQRadar V3 commandNotes
qradar-offensesqradar-offenses-list
qradar-offense-by-idqradar-offenses-listSpecify the offense_id argument in the command.
qradar-update-offenseqradar-offense-update
qradar-get-closing-reasonsqradar-closing-reasons
qradar-get-noteqradar-offense-notes-list
qradar-create-noteqradar-offense-note-create
qradar-get-assetsqradar-assets-list
qradar-get-asset-by-idqradar-assets-listSpecify the asset_id argument in the command.
qradar-searchesqradar-search-create
qradar-get-searchqradar-search-status-get
qradar-get-search-resultsqradar-search-results-get
qradar-get-reference-by-nameqradar-reference-sets-listSpecify the ref_name argument in the command.
qradar-create-reference-setqradar-reference-set-create
qradar-delete-reference-setqradar-reference-set-delete
qradar-create-reference-set-valueqradar-reference-set-value-upsert
qradar-update-reference-set-valueqradar-reference-set-value-upsert
qradar-delete-reference-set-valueqradar-reference-set-value-delete
qradar-get-domainsqradar-domains-list
qradar-domains-listqradar-get-domain-by-idSpecify the domain_id argument in the command.

Mirroring#

This integration supports in mirroring from QRadar offenses to Cortex XSOAR.
When a field of an offense is updated in QRadar services, the update is mirrored in Cortex XSOAR.

Mirroring Events#

  • Mirroring events from QRadar to Cortex XSOAR is supported via the Mirror Offense and Events option.
  • Events will only be mirrored in the incoming direction.
  • Mirroring events will only work when the Long running instance parameter is enabled.
  • Filtering events using the events_limit and events_columns options for mirrored incidents will be the same as in the fetched incidents.
  • The integration will always mirror the events that occurred first in each offense.

For more information about mirroring configurations, see here.

Use the API Token Instead of Username and Password#

  • In the Username / API Key field, type _api_token_key.
  • In the Password field, type your API token.

Choose Your API Version#

  1. Visit the QRadar API versions page for a full list of available API versions according to the QRadar version.
  2. Choose one of the API versions listed under the Supported REST API versions column in the line corresponding to your QRadar version.

Note:
If you're uncertain which API version to use, it is recommended to use the latest API version listed in the Supported REST API versions column in the line corresponding to your QRadar version.

View Your QRadar Version#

  1. Enter QRadar service.
  2. Click the Menu toolbar. A scrolling toolbar will appear.
  3. Click About. A new window will appear with the details of your QRadar version.

Troubleshooting#

When Fetch with events is configured, the integration will fetch the offense events from QRadar. Nevertheless, some events may not be available when trying to fetch them during an incident creation. If Retry events fetch is enabled, the integration tries to fetch more events when the number fetched is less than the expected event_count. In the default setting, the integration will try 3 times, with a wait time of 100 seconds between retries. In order to change the default values, configure the following Advanced Parameters in the instance configuration:

EVENTS_SEARCH_TRIES=<amount of tries for events search> (default 3),EVENTS_SEARCH_RETRY_SECONDS=<amount of seconds to wait between tries> (default 100),EVENTS_POLLING_TRIES=<number of times to poll for one search> (default 10),

It is recommended to enable mirroring, as it should fetch previously missed events when the offense is updated. Alternatively, the retrieve events command can be used to retrieve the events immediately. If the command takes too long to finish executing, try setting the interval_in_seconds to a lower value (down to a minimum of 10 seconds).

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

qradar-offenses-list#


Gets offenses from QRadar.

Base Command#

qradar-offenses-list

Input#

Argument NameDescriptionRequired
offense_idThe offense ID to retrieve its details. Specify offense_id to get details about a specific offense.Optional
enrichmentIP enrichment transforms IDs of the IPs of the offense to IP values. Asset enrichment adds correlated assets to the fetched offenses. Possible values are: IPs, IPs And Assets, None. Default is None.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery to filter offenses, e.g., "severity >= 4 AND id > 5 AND status=OPEN". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,severity,status". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--siem-offenses-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.Offense.DescriptionStringDescription of the offense.
QRadar.Offense.Rules.idNumberThe ID of the rule.
QRadar.Offense.Rules.typeStringThe type of the rule.
QRadar.Offense.Rules.nameStringThe name of the rule.
QRadar.Offense.EventCountNumberNumber of events that are associated with the offense.
QRadar.Offense.FlowCountNumberNumber of flows that are associated with the offense.
QRadar.Offense.AssignedToStringThe user to whom the offense is assigned.
QRadar.Offense.FollowupBooleanWhether the offense is marked for follow-up.
QRadar.Offense.SourceAddressNumberSource addresses (IPs if IPs enrich have been requested, else IDs of the IPs) that are associated with the offense.
QRadar.Offense.ProtectedBooleanWhether the offense is protected.
QRadar.Offense.ClosingUserStringThe user who closed the offense.
QRadar.Offense.DestinationHostnameStringDestination networks that are associated with the offense.
QRadar.Offense.CloseTimeDateTime when the offense was closed.
QRadar.Offense.RemoteDestinationCountNumberNumber of remote destinations that are associated with the offense.
QRadar.Offense.StartTimeDateDate of the earliest item that contributed to the offense.
QRadar.Offense.MagnitudeNumberMagnitude of the offense.
QRadar.Offense.LastUpdatedTimeStringDate of the most recent item that contributed to the offense.
QRadar.Offense.CredibilityNumberCredibility of the offense.
QRadar.Offense.IDNumberID of the offense.
QRadar.Offense.CategoriesStringEvent categories that are associated with the offense.
QRadar.Offense.SeverityNumberSeverity of the offense.
QRadar.Offense.ClosingReasonStringReason the offense was closed.
QRadar.Offense.OffenseTypeStringType of the offense.
QRadar.Offense.RelevanceNumberRelevance of the offense.
QRadar.Offense.OffenseSourceStringSource of the offense.
QRadar.Offense.DestinationAddressNumberDestination addresses (IPs if IPs enrichment have been requested, else IDs of the IPs) that are associated with the offense.
QRadar.Offense.StatusStringStatus of the offense. Possible values: "OPEN", "HIDDEN", "CLOSED".
QRadar.Offense.LinkToOffenseStringLink to the URL containing information about the offense.
QRadar.Offense.AssetsStringAssets correlated to the offense, if enrichment was requested.

Command Example#

!qradar-offenses-list enrichment=IPs filter="status=OPEN" range=0-2

Context Example#

{
"QRadar": {
"Offense": [
{
"Categories": [
"Session Closed"
],
"Credibility": 2,
"Description": "Session Closed\n",
"DestinationAddress": [
"192.168.1.3"
],
"DestinationHostname": [
"Net-10-172-192.Net_192_168_1_3"
],
"EventCount": 1,
"FlowCount": 0,
"Followup": true,
"ID": 16,
"LastUpdatedTime": "2021-02-15T14:24:11.536000+00:00",
"LinkToOffense": "https://192.168.0.1/api/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=16",
"Magnitude": 1,
"OffenseSource": "192.168.1.3",
"OffenseType": "Source IP",
"Protected": false,
"Relevance": 0,
"RemoteDestinationCount": 0,
"Rules": [
{
"id": 100405,
"name": "Fake port scan",
"type": "CRE_RULE"
}
],
"Severity": 2,
"SourceAddress": [
"192.168.1.3"
],
"StartTime": "2021-02-15T14:24:11.536000+00:00",
"Status": "OPEN"
},
{
"Categories": [
"User Login Failure",
"General Authentication Failed"
],
"Credibility": 2,
"Description": "Multiple Login Failures for the Same User\n containing Failure Audit: The domain controller failed to validate the credentials for an account\n",
"DestinationAddress": [
"192.168.1.3"
],
"DestinationHostname": [
"Net-10-172-192.Net_192_168_1_3"
],
"EventCount": 15,
"FlowCount": 0,
"Followup": false,
"ID": 15,
"LastUpdatedTime": "2021-02-15T13:21:46.948000+00:00",
"LinkToOffense": "https://192.168.0.1/api/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=15",
"Magnitude": 1,
"OffenseSource": "yarden",
"OffenseType": "Username",
"Protected": false,
"Relevance": 0,
"RemoteDestinationCount": 0,
"Rules": [
{
"id": 100056,
"name": "Multiple Login Failures for Single Username",
"type": "CRE_RULE"
}
],
"Severity": 3,
"SourceAddress": [
"192.168.1.3",
"::1"
],
"StartTime": "2021-02-15T13:21:36.537000+00:00",
"Status": "OPEN"
},
{
"Categories": [
"User Login Success",
"Session Opened",
"Session Closed"
],
"Credibility": 2,
"Description": "User Login Success\n and Session Opened\n and Session Closed\n",
"DestinationAddress": [
"192.168.1.3"
],
"DestinationHostname": [
"Net-10-172-192.Net_192_168_1_3"
],
"EventCount": 5,
"FlowCount": 0,
"Followup": false,
"ID": 14,
"LastUpdatedTime": "2021-02-04T22:29:30.742000+00:00",
"LinkToOffense": "https://192.168.0.1/api/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=14",
"Magnitude": 1,
"OffenseSource": "192.168.1.3",
"OffenseType": "Source IP",
"Protected": false,
"Relevance": 0,
"RemoteDestinationCount": 0,
"Rules": [
{
"id": 100405,
"name": "Fake port scan",
"type": "CRE_RULE"
}
],
"Severity": 1,
"SourceAddress": [
"192.168.1.3"
],
"StartTime": "2021-02-04T12:19:54.402000+00:00",
"Status": "OPEN"
}
]
}
}

Human Readable Output#

Offenses List#

IDDescriptionOffenseTypeStatusSeverityLastUpdatedTimeEventCountCategoriesProtectedRelevanceLinkToOffenseOffenseSourceDestinationAddressRulesMagnitudeSourceAddressDestinationHostnameCredibilityFollowupRemoteDestinationCountFlowCountStartTime
16Session Closed
Source IPOPEN22021-02-15T14:24:11.536000+00:001Session Closedfalse0https://192.168.0.1/api/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=16192.168.1.3192.168.1.3{'id': 100405, 'type': 'CRE_RULE', 'name': 'Fake port scan'}1192.168.1.3Net-10-172-192.Net_192_168_1_32true002021-02-15T14:24:11.536000+00:00
15Multiple Login Failures for the Same User
containing Failure Audit: The domain controller failed to validate the credentials for an account
UsernameOPEN32021-02-15T13:21:46.948000+00:0015User Login Failure,
General Authentication Failed
false0https://192.168.0.1/api/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=15yarden192.168.1.3{'id': 100056, 'type': 'CRE_RULE', 'name': 'Multiple Login Failures for Single Username'}1192.168.1.3,
::1
Net-10-172-192.Net_192_168_1_32false002021-02-15T13:21:36.537000+00:00
14User Login Success
and Session Opened
and Session Closed
Source IPOPEN12021-02-04T22:29:30.742000+00:005User Login Success,
Session Opened,
Session Closed
false0https://192.168.0.1/api/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=14192.168.1.3192.168.1.3{'id': 100405, 'type': 'CRE_RULE', 'name': 'Fake port scan'}1192.168.1.3Net-10-172-192.Net_192_168_1_32false002021-02-04T12:19:54.402000+00:00

qradar-offense-update#


Update an offense.

Base Command#

qradar-offense-update

Input#

Argument NameDescriptionRequired
offense_idThe ID of the offense to update.Required
enrichmentIP enrichment transforms IDs of the IPs of the offense to IP values. Asset enrichment adds correlated assets to the fetched offenses. Possible values are: IPs, IPs And Assets, None. Default is None.Optional
protectedWhether the offense should be protected. Possible values are: true, false.Optional
follow_upWhether the offense should be marked for follow-up. Possible values are: true, false.Optional
statusThe new status for the offense. When the status of an offense is set to CLOSED, a valid closing_reason_id must be provided. To hide an offense, use the HIDDEN status. To show a previously hidden offense, use the OPEN status. Possible values are: OPEN, HIDDEN, CLOSED.Optional
closing_reason_idThe ID of a closing reason. You must provide a valid closing_reason_id when you close an offense. For a full list of closing reason IDs, use the 'qradar-closing-reasons' command.Optional
assigned_toUser to assign the offense to.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,severity,status". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--siem-offenses-offense_id-POST.html.Optional

Context Output#

PathTypeDescription
QRadar.Offense.DescriptionStringDescription of the offense.
QRadar.Offense.Rules.idNumberThe ID of the rule.
QRadar.Offense.Rules.typeStringThe type of the rule.
QRadar.Offense.Rules.nameStringThe name of the rule.
QRadar.Offense.EventCountNumberNumber of events that are associated with the offense.
QRadar.Offense.FlowCountNumberNumber of flows that are associated with the offense.
QRadar.Offense.AssignedToStringThe user to whom the offense is assigned.
QRadar.Offense.FollowupBooleanWhether the offense is marked for follow-up.
QRadar.Offense.SourceAddressNumberSource addresses (IPs if IPs enrich have been requested, else IDs of the IPs) that are associated with the offense.
QRadar.Offense.ProtectedBooleanWhether the offense is protected.
QRadar.Offense.ClosingUserStringThe user who closed the offense.
QRadar.Offense.DestinationHostnameStringDestination networks that are associated with the offense.
QRadar.Offense.CloseTimeDateTime when the offense was closed.
QRadar.Offense.RemoteDestinationCountNumberNumber of remote destinations that are associated with the offense.
QRadar.Offense.StartTimeDateDate of the earliest item that contributed to the offense.
QRadar.Offense.MagnitudeNumberMagnitude of the offense.
QRadar.Offense.LastUpdatedTimeStringDate of the most recent item that contributed to the offense.
QRadar.Offense.CredibilityNumberCredibility of the offense.
QRadar.Offense.IDNumberID of the offense.
QRadar.Offense.CategoriesStringEvent categories that are associated with the offense.
QRadar.Offense.SeverityNumberSeverity of the offense.
QRadar.Offense.ClosingReasonStringReason the offense was closed.
QRadar.Offense.OffenseTypeStringType of the offense.
QRadar.Offense.RelevanceNumberRelevance of the offense.
QRadar.Offense.OffenseSourceStringSource of the offense.
QRadar.Offense.DestinationAddressNumberDestination addresses (IPs if IPs enrichment have been requested, else IDs of the IPs) that are associated with the offense.
QRadar.Offense.StatusStringStatus of the offense. Possible values: "OPEN", "HIDDEN", "CLOSED".
QRadar.Offense.LinkToOffenseStringLink to the URL containing information about the offense.
QRadar.Offense.AssetsStringAssets correlated to the offense, if enrichment was requested.

Command Example#

!qradar-offense-update offense_id=6 assigned_to=demisto enrichment="IPs And Assets" follow_up=true status=OPEN protected=false

Context Example#

{
"QRadar": {
"Offense": {
"AssignedTo": "demisto",
"Categories": [
"Host Port Scan",
"Access Permitted"
],
"Credibility": 3,
"Description": "Fake port scan\n",
"DestinationAddress": [
"192.168.1.3"
],
"DestinationHostname": [
"Net-10-172-192.Net_192_168_1_3"
],
"EventCount": 6553,
"FlowCount": 0,
"Followup": true,
"ID": 6,
"LastUpdatedTime": "2021-03-02T13:38:32.438000+00:00",
"LinkToOffense": "https://192.168.0.1/api/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=6",
"Magnitude": 6,
"OffenseSource": "192.168.1.3",
"OffenseType": "Source IP",
"Protected": false,
"Relevance": 5,
"RemoteDestinationCount": 0,
"Rules": [
{
"id": 100405,
"name": "Fake port scan",
"type": "CRE_RULE"
}
],
"Severity": 9,
"SourceAddress": [
"192.168.1.3"
],
"StartTime": "2020-11-10T22:24:23.603000+00:00",
"Status": "OPEN"
}
}
}

Human Readable Output#

offense Update#

IDDescriptionOffenseTypeStatusSeveritySourceAddressRelevanceLastUpdatedTimeOffenseSourceMagnitudeFollowupRulesDestinationAddressDestinationHostnameCategoriesRemoteDestinationCountCredibilityFlowCountEventCountAssignedToProtectedStartTimeLinkToOffense
6Fake port scan
Source IPOPEN9192.168.1.352021-03-02T13:38:32.438000+00:00192.168.1.36true{'id': 100405, 'type': 'CRE_RULE', 'name': 'Fake port scan'}192.168.1.3Net-10-172-192.Net_192_168_1_3Host Port Scan,
Access Permitted
0306553demistofalse2020-11-10T22:24:23.603000+00:00https://192.168.0.1/api/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=6

qradar-closing-reasons#


Retrieves a list of offense closing reasons.

Base Command#

qradar-closing-reasons

Input#

Argument NameDescriptionRequired
closing_reason_idThe closing reason ID for which to retrieve its details. Specify closing_reason_id to get details about a specific closing reason.Optional
include_reservedIf true, reserved closing reasons are included in the response. Possible values are: true, false. Default is false.Optional
include_deletedIf true, deleted closing reasons are included in the response. Possible values are: true, false. Default is false.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery to filter closing reasons, e.g. "id > 5". For reference see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,text". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--siem-offense_closing_reasons-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.Offense.ClosingReasons.IsDeletedBooleanWhether the closing reason is deleted. Deleted closing reasons cannot be used to close an offense.
QRadar.Offense.ClosingReasons.IsReservedBooleanWhether the closing reason is reserved. Reserved closing reasons cannot be used to close an offense.
QRadar.Offense.ClosingReasons.NameStringName of the closing reason.
QRadar.Offense.ClosingReasons.IDNumberID of the closing reason.

Command Example#

!qradar-closing-reasons include_deleted=true include_reserved=true

Context Example#

{
"QRadar": {
"ClosingReason": [
{
"ID": 2,
"IsDeleted": false,
"IsReserved": false,
"Name": "False-Positive, Tuned"
},
{
"ID": 1,
"IsDeleted": false,
"IsReserved": false,
"Name": "Non-Issue"
},
{
"ID": 3,
"IsDeleted": false,
"IsReserved": false,
"Name": "Policy Violation"
},
{
"ID": 4,
"IsDeleted": false,
"IsReserved": true,
"Name": "System Change (Upgrade, Reset, etc.)"
}
]
}
}

Human Readable Output#

Closing Reasons#

IDNameIsDeletedIsReserved
2False-Positive, Tunedfalsefalse
1Non-Issuefalsefalse
3Policy Violationfalsefalse
4System Change (Upgrade, Reset, etc.)falsetrue

qradar-offense-notes-list#


Retrieves a list of notes for an offense.

Base Command#

qradar-offense-notes-list

Input#

Argument NameDescriptionRequired
offense_idThe offense ID to retrieve the notes for.Required
note_idThe note ID for which to retrieve its details. Specify note_id to get details about a specific note.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery to filter offense notes, e.g., "username=admin". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "username,note_text". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--siem-offenses-offense_id-notes-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.Note.TextStringThe text of the note.
QRadar.Note.CreateTimeDateCreation date of the note.
QRadar.Note.IDNumberID of the note.
QRadar.Note.CreatedByStringThe user who created the note.

Command Example#

!qradar-offense-notes-list offense_id=6 filter="username='API_user: demisto'" range=0-1

Context Example#

{
"QRadar": {
"Note": [
{
"CreateTime": "2021-03-03T08:32:46.467000+00:00",
"CreatedBy": "API_user: demisto",
"ID": 12,
"Text": "Note Regarding The Offense"
},
{
"CreateTime": "2021-03-01T16:49:33.691000+00:00",
"CreatedBy": "API_user: demisto",
"ID": 10,
"Text": "Note Regarding The Offense"
}
]
}
}

Human Readable Output#

Offense Notes List For Offense ID 6#

IDTextCreatedByCreateTime
12Note Regarding The OffenseAPI_user: demisto2021-03-03T08:32:46.467000+00:00
10Note Regarding The OffenseAPI_user: demisto2021-03-01T16:49:33.691000+00:00

qradar-offense-note-create#


Creates a note on an offense.

Base Command#

qradar-offense-note-create

Input#

Argument NameDescriptionRequired
offense_idThe offense ID to add the note to.Required
note_textThe text of the note.Required
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "username,note_text". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--siem-offenses-offense_id-notes-POST.html.Optional

Context Output#

PathTypeDescription
QRadar.Note.TextStringThe text of the note.
QRadar.Note.CreateTimeDateCreation date of the note.
QRadar.Note.IDNumberID of the note.
QRadar.Note.CreatedByStringThe user who created the note.

Command Example#

!qradar-offense-note-create note_text="Note Regarding The Offense" offense_id=6

Context Example#

{
"QRadar": {
"Note": {
"CreateTime": "2021-03-03T08:35:52.908000+00:00",
"CreatedBy": "API_user: demisto",
"ID": 13,
"Text": "Note Regarding The Offense"
}
}
}

Human Readable Output#

Create Note#

IDTextCreatedByCreateTime
13Note Regarding The OffenseAPI_user: demisto2021-03-03T08:35:52.908000+00:00

qradar-rules-list#


Retrieves a list of rules.

Base Command#

qradar-rules-list

Input#

Argument NameDescriptionRequired
rule_idThe rule ID for which to retrieve its details. Specify rule_id to get details about a specific rule.Optional
rule_typeRetrieves rules corresponding to the specified rule type. Possible values are: EVENT, FLOW, COMMON, USER.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter rules, e.g., "type=EVENT". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "owner,identifier,origin". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--analytics-rules-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.Rule.OwnerStringOwner of the rule.
QRadar.Rule.BaseHostIDNumberID of the host from which the rule's base capacity was determined.
QRadar.Rule.CapacityTimestampNumberDate when the rule's capacity values were last updated.
QRadar.Rule.OriginStringOrigin of the rule. Possible values: "SYSTEM", "OVERRIDE", "USER".
QRadar.Rule.CreationDateDateDate when rule was created.
QRadar.Rule.TypeStringType of the rule. Possible values: "EVENT", "FLOW", "COMMON", "USER".
QRadar.Rule.EnabledBooleanWhether rule is enabled.
QRadar.Rule.ModificationDateDateDate when the rule was last modified.
QRadar.Rule.NameStringName of the rule.
QRadar.Rule.AverageCapacityNumberMoving average capacity in EPS of the rule across all hosts.
QRadar.Rule.IDNumberID of the rule.
QRadar.Rule.BaseCapacityNumberBase capacity of the rule in events per second.

Command Example#

!qradar-rules-list rule_type=COMMON

Context Example#

{
"QRadar": {
"Rule": [
{
"AverageCapacity": 0,
"BaseCapacity": 0,
"BaseHostID": 0,
"CapacityTimestamp": 0,
"CreationDate": "2007-10-14T20:12:00.374000+00:00",
"Enabled": true,
"ID": 100057,
"ModificationDate": "2020-10-18T19:40:21.886000+00:00",
"Name": "Login Successful After Scan Attempt",
"Origin": "SYSTEM",
"Owner": "admin",
"Type": "COMMON"
},
{
"AverageCapacity": 0,
"BaseCapacity": 0,
"BaseHostID": 0,
"CapacityTimestamp": 0,
"CreationDate": "2006-03-27T10:54:12.077000+00:00",
"Enabled": false,
"ID": 100091,
"ModificationDate": "2020-10-18T19:40:19.334000+00:00",
"Name": "Botnet: Potential Botnet Connection (DNS)",
"Origin": "SYSTEM",
"Owner": "admin",
"Type": "COMMON"
},
{
"AverageCapacity": 0,
"BaseCapacity": 0,
"BaseHostID": 0,
"CapacityTimestamp": 0,
"CreationDate": "2005-12-22T00:54:48.708000+00:00",
"Enabled": true,
"ID": 100098,
"ModificationDate": "2020-10-18T19:40:21.421000+00:00",
"Name": "Host Port Scan Detected by Remote Host",
"Origin": "SYSTEM",
"Owner": "admin",
"Type": "COMMON"
}
]
}
}

Human Readable Output#

Rules List#

IDNameTypeCapacityTimestampOwnerEnabledBaseCapacityOriginAverageCapacityModificationDateCreationDateBaseHostID
100057Login Successful After Scan AttemptCOMMON0admintrue0SYSTEM02020-10-18T19:40:21.886000+00:002007-10-14T20:12:00.374000+00:000
100091Botnet: Potential Botnet Connection (DNS)COMMON0adminfalse0SYSTEM02020-10-18T19:40:19.334000+00:002006-03-27T10:54:12.077000+00:000
100098Host Port Scan Detected by Remote HostCOMMON0admintrue0SYSTEM02020-10-18T19:40:21.421000+00:002005-12-22T00:54:48.708000+00:000

qradar-rule-groups-list#


Retrieves a list of the rule groups.

Base Command#

qradar-rule-groups-list

Input#

Argument NameDescriptionRequired
rule_group_idThe rule group ID for which to retrieve its details. Specify rule_group_id to get details about a specific rule group.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter rules, e.g., "id >= 125". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "owner,parent_id". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--analytics-rule_groups-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.RuleGroup.OwnerStringOwner of the group.
QRadar.RuleGroup.ModifiedTimeDateDate since the group was last modified.
QRadar.RuleGroup.LevelNumberDepth of the group in the group hierarchy.
QRadar.RuleGroup.NameStringName of the group.
QRadar.RuleGroup.DescriptionStringDescription of the group.
QRadar.RuleGroup.IDNumberID of the group.
QRadar.RuleGroup.ChildItemsStringChild items of the group.
QRadar.RuleGroup.ChildGroupsNumberChild group IDs.
QRadar.RuleGroup.TypeStringThe type of the group.
QRadar.RuleGroup.ParentIDNumberID of the parent group.

Command Example#

!qradar-rule-groups-list

Context Example#

{
"QRadar": {
"RuleGroup": [
{
"ChildItems": [
"1607",
"1608",
"1609",
"1610",
"1611",
"1612",
"1613",
"1614",
"1615",
"1616",
"1617",
"1618",
"100039",
"100041",
"100037",
"100040",
"100038",
"100035",
"100036",
"100044",
"100034",
"100042",
"100045",
"100043"
],
"Description": "Rules focused on detection of suspicious asset reconciliation behavior.",
"ID": 125,
"Level": 2,
"ModifiedTime": "2014-01-06T15:23:26.060000+00:00",
"Name": "Asset Reconciliation Exclusion",
"Owner": "admin",
"ParentID": 3,
"Type": "RULE_GROUP"
},
{
"ChildItems": [
"1209",
"1210",
"100237",
"100238"
],
"Description": "Sample rules for building email and other responses based on a rule.",
"ID": 100,
"Level": 1,
"ModifiedTime": "2020-10-18T19:10:24.297000+00:00",
"Name": "Response",
"Owner": "admin",
"ParentID": 3,
"Type": "RULE_GROUP"
},
{
"ChildItems": [
"1219",
"1265",
"1335",
"1410",
"1411",
"1412",
"1431",
"1443",
"1460",
"1461",
"1471",
"1481",
"1509",
"1552",
"1566",
"100287",
"100001",
"100033",
"100003"
],
"Description": "Rules based on log source and event anomalies such as high event rates or excessive connections.",
"ID": 101,
"Level": 1,
"ModifiedTime": "2020-10-18T19:10:24.297000+00:00",
"Name": "Anomaly",
"Owner": "admin",
"ParentID": 3,
"Type": "RULE_GROUP"
}
]
}
}

Human Readable Output#

Rules Group List#

IDNameDescriptionOwnerChildGroupsLevelParentIDTypeChildItemsModifiedTime
125Asset Reconciliation ExclusionRules focused on detection of suspicious asset reconciliation behavior.admin23RULE_GROUP1607,
1608,
1609,
1610,
1611,
1612,
1613,
1614,
1615,
1616,
1617,
1618,
100039,
100041,
100037,
100040,
100038,
100035,
100036,
100044,
100034,
100042,
100045,
100043
2014-01-06T15:23:26.060000+00:00
100ResponseSample rules for building email and other responses based on a rule.admin13RULE_GROUP1209,
1210,
100237,
100238
2020-10-18T19:10:24.297000+00:00
101AnomalyRules based on log source and event anomalies such as high event rates or excessive connections.admin13RULE_GROUP1219,
1265,
1335,
1410,
1411,
1412,
1431,
1443,
1460,
1461,
1471,
1481,
1509,
1552,
1566,
100287,
100001,
100033,
100003
2020-10-18T19:10:24.297000+00:00

qradar-assets-list#


Retrieves assets list.

Base Command#

qradar-assets-list

Input#

Argument NameDescriptionRequired
asset_idThe asset ID for which to retrieve its details. Specify asset_id to get details about a specific asset.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter assets, e.g., "domain_id=0". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,interfaces,users,properties". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--asset_model-assets-GET.html.Optional

Context Output#

PathTypeDescription
Endpoint.DomainStringDNS name.
Endpoint.OSStringAsset operating system.
Endpoint.MACAddressStringAsset MAC address.
Endpoint.IPAddressUnknownIP addresses of the endpoint.
QRadar.Asset.Interfaces.idNumberID of the interface.
QRadar.Asset.Interfaces.mac_addressStringMAC address of the interface. Null if unknown.
QRadar.Asset.Interfaces.ip_addresses.idNumberID of the interface.
QRadar.Asset.Interfaces.ip_addresses.network_idNumberNetwork ID of the network the IP belongs to.
QRadar.Asset.Interfaces.ip_addresses.valueStringThe IP address.
QRadar.Asset.Interfaces.ip_addresses.typeStringType of IP address. Possible values: "IPV4", "IPV6".
QRadar.Asset.Interfaces.ip_addresses.createdDateDate when the IP address was created.
QRadar.Asset.Interfaces.ip_addresses.first_seen_scannerDateDate when the IP address was first seen during a vulnerability scan.
QRadar.Asset.Interfaces.ip_addresses.first_seen_profilerDateDate when the IP address was first seen in event or flow traffic.
QRadar.Asset.Interfaces.ip_addresses.last_seen_scannerDateDate when the IP address was most recently seen during a vulnerability scan.
QRadar.Asset.Interfaces.ip_addresses.last_seen_profilerDateDate when the IP address was most recently seen in event or flow traffic.
QRadar.Asset.Products.idNumberThe ID of this software product instance in QRadar's asset model.
QRadar.Asset.Products.product_variant_idNumberThe ID of this software product variant in QRadar's catalog of products.
QRadar.Asset.Products.first_seen_scannerDateDate when the product was first seen during a vulnerability scan.
QRadar.Asset.Products.first_seen_profilerDateDate when the product was first seen in event or flow traffic.
QRadar.Asset.Products.last_seen_scannerDateDate when the product was most recently seen seen during a vulnerability scan.
QRadar.Asset.Products.last_seen_profilerDateDate when the product was most recently seen in event or flow traffic.
QRadar.Asset.VulnerabilityCountNumberThe total number of vulnerabilities associated with this asset.
QRadar.Asset.RiskScoreSumNumberThe sum of the CVSS scores of the vulnerabilities on this asset.
QRadar.Asset.Hostnames.last_seen_profilerDateDate when the host was most recently seen in event or flow traffic.
QRadar.Asset.Hostnames.createdDateDate when the host was created.
QRadar.Asset.Hostnames.last_seen_scannerDateDate when the host was most recently seen during a vulnerability scan.
QRadar.Asset.Hostnames.nameStringName of the host.
QRadar.Asset.Hostnames.first_seen_scannerDateDate when the host was first seen during a vulnerability scan.
QRadar.Asset.Hostnames.idNumberID of the host.
QRadar.Asset.Hostnames.typeStringType of the host. Possible values: "DNS", "NETBIOS", "NETBIOSGROUP".
QRadar.Asset.Hostnames.first_seen_profilerDateDate when the host was first seen in event or flow traffic.
QRadar.Asset.IDNumberID of the asset.
QRadar.Asset.Users.last_seen_profilerDateDate when the user was most recently seen in event or flow traffic.
QRadar.Asset.Users.last_seen_scannerDateDate when the user was most recently seen during a vulnerability scan.
QRadar.Asset.Users.first_seen_scannerDateDate when the user was first seen during a vulnerability scan.
QRadar.Asset.Users.idNumberID of the user.
QRadar.Asset.Users.first_seen_profilerDateDate when the user was first seen in event or flow traffic.
QRadar.Asset.Users.usernameStringName of the user.
QRadar.Asset.DomainIDNumberID of the domain this asset belongs to.
QRadar.Asset.Properties.last_reportedDateDate when the property was last updated.
QRadar.Asset.Properties.nameStringName of the property.
QRadar.Asset.Properties.type_idNumberType ID of the property.
QRadar.Asset.Properties.idNumberID of the property.
QRadar.Asset.Properties.last_reported_byStringThe source of the most recent update to this property.
QRadar.Asset.Properties.valueStringProperty value.

Command Example#

!qradar-assets-list filter="id<1100" range=0-2

Context Example#

{
"QRadar": {
"Asset": [
{
"DomainID": 0,
"Hostnames": [
{
"created": "2021-02-02T19:05:12.138000+00:00",
"first_seen_profiler": "2021-02-02T19:05:12.138000+00:00",
"id": 1007,
"last_seen_profiler": "2021-02-15T13:20:23.530000+00:00",
"name": "HOST1233X11",
"type": "NETBIOS"
}
],
"ID": 1007,
"Properties": [
{
"id": 1006,
"last_reported": "2021-02-02T19:05:12.643000+00:00",
"last_reported_by": "IDENTITY:112",
"name": "Unified Name",
"type_id": 1002,
"value": "HOST1233X11"
}
],
"RiskScoreSum": 0,
"Users": [
{
"first_seen_profiler": "2021-02-02T19:05:12.138000+00:00",
"id": 1007,
"last_seen_profiler": "2021-02-15T13:20:23.530000+00:00",
"username": "Administrator"
}
],
"VulnerabilityCount": 0
},
{
"DomainID": 0,
"Hostnames": [
{
"created": "2021-02-02T19:05:12.139000+00:00",
"first_seen_profiler": "2021-02-02T19:05:12.139000+00:00",
"id": 1008,
"last_seen_profiler": "2021-02-15T13:20:23.532000+00:00",
"name": "-",
"type": "NETBIOS"
}
],
"ID": 1008,
"Properties": [
{
"id": 1007,
"last_reported": "2021-02-02T19:05:12.645000+00:00",
"last_reported_by": "IDENTITY:112",
"name": "Unified Name",
"type_id": 1002,
"value": "-"
}
],
"RiskScoreSum": 0,
"Users": [
{
"first_seen_profiler": "2021-02-02T19:05:12.139000+00:00",
"id": 1008,
"last_seen_profiler": "2021-02-15T13:20:23.532000+00:00",
"username": "DWM-3"
}
],
"VulnerabilityCount": 0
},
{
"DomainID": 0,
"Hostnames": [
{
"created": "2021-02-02T19:05:12.140000+00:00",
"first_seen_profiler": "2021-02-02T19:05:12.140000+00:00",
"id": 1009,
"last_seen_profiler": "2021-02-15T13:20:23.532000+00:00",
"name": "EC2AMAZ-ETKN6IA",
"type": "NETBIOS"
}
],
"ID": 1009,
"Properties": [
{
"id": 1008,
"last_reported": "2021-02-02T19:05:12.646000+00:00",
"last_reported_by": "IDENTITY:112",
"name": "Unified Name",
"type_id": 1002,
"value": "EC2AMAZ-ETKN6IA"
}
],
"RiskScoreSum": 0,
"Users": [
{
"first_seen_profiler": "2021-02-02T19:05:12.140000+00:00",
"id": 1009,
"last_seen_profiler": "2021-02-15T13:20:23.532000+00:00",
"username": "Administrator"
}
],
"VulnerabilityCount": 0
}
]
}
}

Human Readable Output#

Assets List#

DomainIDHostnamesIDPropertiesRiskScoreSumUsersVulnerabilityCount
0{'last_seen_profiler': '2021-02-15T13:20:23.530000+00:00', 'created': '2021-02-02T19:05:12.138000+00:00', 'name': 'HOST1233X11', 'id': 1007, 'type': 'NETBIOS', 'first_seen_profiler': '2021-02-02T19:05:12.138000+00:00'}1007{'last_reported': '2021-02-02T19:05:12.643000+00:00', 'name': 'Unified Name', 'type_id': 1002, 'id': 1006, 'last_reported_by': 'IDENTITY:112', 'value': 'HOST1233X11'}0.0{'last_seen_profiler': '2021-02-15T13:20:23.530000+00:00', 'id': 1007, 'first_seen_profiler': '2021-02-02T19:05:12.138000+00:00', 'username': 'Administrator'}0
0{'last_seen_profiler': '2021-02-15T13:20:23.532000+00:00', 'created': '2021-02-02T19:05:12.139000+00:00', 'name': '-', 'id': 1008, 'type': 'NETBIOS', 'first_seen_profiler': '2021-02-02T19:05:12.139000+00:00'}1008{'last_reported': '2021-02-02T19:05:12.645000+00:00', 'name': 'Unified Name', 'type_id': 1002, 'id': 1007, 'last_reported_by': 'IDENTITY:112', 'value': '-'}0.0{'last_seen_profiler': '2021-02-15T13:20:23.532000+00:00', 'id': 1008, 'first_seen_profiler': '2021-02-02T19:05:12.139000+00:00', 'username': 'DWM-3'}0
0{'last_seen_profiler': '2021-02-15T13:20:23.532000+00:00', 'created': '2021-02-02T19:05:12.140000+00:00', 'name': 'EC2AMAZ-ETKN6IA', 'id': 1009, 'type': 'NETBIOS', 'first_seen_profiler': '2021-02-02T19:05:12.140000+00:00'}1009{'last_reported': '2021-02-02T19:05:12.646000+00:00', 'name': 'Unified Name', 'type_id': 1002, 'id': 1008, 'last_reported_by': 'IDENTITY:112', 'value': 'EC2AMAZ-ETKN6IA'}0.0{'last_seen_profiler': '2021-02-15T13:20:23.532000+00:00', 'id': 1009, 'first_seen_profiler': '2021-02-02T19:05:12.140000+00:00', 'username': 'Administrator'}0

qradar-saved-searches-list#


Retrieves a list of Ariel saved searches.

Base Command#

qradar-saved-searches-list

Input#

Argument NameDescriptionRequired
saved_search_idThe saved search ID for which to retrieve its details. Specify saved_search_id to get details about a specific saved search.Optional
timeoutNumber of seconds until timeout for the specified command. Default is 35.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter saved searches, e.g., "database=EVENTS and is_dashboard=true". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,owner,description". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--ariel-saved_searches-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.SavedSearch.OwnerStringOwner of the saved search.
QRadar.SavedSearch.DescriptionStringDescription of the saved search.
QRadar.SavedSearch.CreationDateDateDate when saved search was created.
QRadar.SavedSearch.UIDStringUID of the saved search.
QRadar.SavedSearch.DatabaseStringThe database of the Ariel saved search, events, or flows.
QRadar.SavedSearch.QuickSearchBooleanWhether the saved search is a quick search.
QRadar.SavedSearch.NameStringName of the saved search.
QRadar.SavedSearch.ModifiedDateDateDate when the saved search was most recently modified.
QRadar.SavedSearch.IDNumberID of the saved search.
QRadar.SavedSearch.AQLStringThe AQL query.
QRadar.SavedSearch.IsSharedBooleanWhether the saved search is shared with other users.

Command Example#

!qradar-saved-searches-list range=0-1

Context Example#

{
"QRadar": {
"SavedSearch": [
{
"AQL": "SELECT \"destinationPort\" AS 'Destination Port', UniqueCount(\"sourceIP\") AS 'Source IP (Unique Count)', UniqueCount(\"destinationIP\") AS 'Destination IP (Unique Count)', UniqueCount(qid) AS 'Event Name (Unique Count)', UniqueCount(logSourceId) AS 'Log Source (Unique Count)', UniqueCount(category) AS 'Low Level Category (Unique Count)', UniqueCount(\"protocolId\") AS 'Protocol (Unique Count)', UniqueCount(\"userName\") AS 'Username (Unique Count)', MAX(\"magnitude\") AS 'Magnitude (Maximum)', SUM(\"eventCount\") AS 'Event Count (Sum)', COUNT(*) AS 'Count' from events where ( (\"creEventList\"='100120') or (\"creEventList\"='100122') or (\"creEventList\"='100135') AND \"eventDirection\"='R2L' ) GROUP BY \"destinationPort\" order by \"Event Count (Sum)\" desc last 6 hours",
"CreationDate": "2010-08-04T19:44:51.630000+00:00",
"Database": "EVENTS",
"Description": "",
"ID": 2776,
"IsShared": true,
"ModifiedDate": "2020-10-18T19:39:16.160000+00:00",
"Name": "Remote Recon and Scanning Activity by Destination Port",
"Owner": "admin",
"QuickSearch": true,
"UID": "0d3cc801-52c3-4dbd-a43c-320cca195adc"
},
{
"AQL": "SELECT \"flowBias\" AS 'Flow Bias', UniqueCount(\"sourceIP\") AS 'Source IP (Unique Count)', UniqueCount(\"destinationIP\") AS 'Destination IP (Unique Count)', UniqueCount(\"destinationPort\") AS 'Destination Port (Unique Count)', UniqueCount(APPLICATIONNAME(applicationid)) AS 'Application (Unique Count)', UniqueCount(\"protocolId\") AS 'Protocol (Unique Count)', SUM(\"sourceBytes\") AS 'Source Bytes (Sum)', SUM(\"destinationBytes\") AS 'Destination Bytes (Sum)', SUM((SourceBytes + DestinationBytes)) AS 'Total Bytes (Sum)', SUM(\"sourcePackets\") AS 'Source Packets (Sum)', SUM(\"destinationPackets\") AS 'Destination Packets (Sum)', SUM((SourcePackets + DestinationPackets)) AS 'Total Packets (Sum)', COUNT(*) AS 'Count' from flows where ( ( (\"flowDirection\"='L2R') or (\"flowDirection\"='R2L') or (\"flowDirection\"='R2R') AND \"endTime\">='1284540300000' ) AND \"endTime\"<='1284561900000' ) GROUP BY \"flowBias\" order by \"Total Bytes (Sum)\" desc last 6 hours",
"CreationDate": "2010-07-22T17:33:06.761000+00:00",
"Database": "FLOWS",
"Description": "",
"ID": 2792,
"IsShared": true,
"ModifiedDate": "2020-10-18T19:39:16.043000+00:00",
"Name": "Flow Bias",
"Owner": "admin",
"QuickSearch": true,
"UID": "0fe9b644-2660-4465-a2a5-ccaf7c167b1f"
}
]
}
}

Human Readable Output#

Saved Searches List#

IDNameModifiedDateOwnerAQLIsSharedUIDDatabaseQuickSearchCreationDate
2776Remote Recon and Scanning Activity by Destination Port2020-10-18T19:39:16.160000+00:00adminSELECT "destinationPort" AS 'Destination Port', UniqueCount("sourceIP") AS 'Source IP (Unique Count)', UniqueCount("destinationIP") AS 'Destination IP (Unique Count)', UniqueCount(qid) AS 'Event Name (Unique Count)', UniqueCount(logSourceId) AS 'Log Source (Unique Count)', UniqueCount(category) AS 'Low Level Category (Unique Count)', UniqueCount("protocolId") AS 'Protocol (Unique Count)', UniqueCount("userName") AS 'Username (Unique Count)', MAX("magnitude") AS 'Magnitude (Maximum)', SUM("eventCount") AS 'Event Count (Sum)', COUNT(*) AS 'Count' from events where ( ("creEventList"='100120') or ("creEventList"='100122') or ("creEventList"='100135') AND "eventDirection"='R2L' ) GROUP BY "destinationPort" order by "Event Count (Sum)" desc last 6 hourstrue0d3cc801-52c3-4dbd-a43c-320cca195adcEVENTStrue2010-08-04T19:44:51.630000+00:00
2792Flow Bias2020-10-18T19:39:16.043000+00:00adminSELECT "flowBias" AS 'Flow Bias', UniqueCount("sourceIP") AS 'Source IP (Unique Count)', UniqueCount("destinationIP") AS 'Destination IP (Unique Count)', UniqueCount("destinationPort") AS 'Destination Port (Unique Count)', UniqueCount(APPLICATIONNAME(applicationid)) AS 'Application (Unique Count)', UniqueCount("protocolId") AS 'Protocol (Unique Count)', SUM("sourceBytes") AS 'Source Bytes (Sum)', SUM("destinationBytes") AS 'Destination Bytes (Sum)', SUM((SourceBytes + DestinationBytes)) AS 'Total Bytes (Sum)', SUM("sourcePackets") AS 'Source Packets (Sum)', SUM("destinationPackets") AS 'Destination Packets (Sum)', SUM((SourcePackets + DestinationPackets)) AS 'Total Packets (Sum)', COUNT(*) AS 'Count' from flows where ( ( ("flowDirection"='L2R') or ("flowDirection"='R2L') or ("flowDirection"='R2R') AND "endTime">='1284540300000' ) AND "endTime"<='1284561900000' ) GROUP BY "flowBias" order by "Total Bytes (Sum)" desc last 6 hourstrue0fe9b644-2660-4465-a2a5-ccaf7c167b1fFLOWStrue2010-07-22T17:33:06.761000+00:00

qradar-searches-list#


Retrieves the list of Ariel searches IDs. Search status and results can be polled by sending the search ID to the 'qradar-search-status-get' and 'qradar-search-results-get' commands.

Base Command#

qradar-searches-list

Input#

Argument NameDescriptionRequired
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional

Context Output#

PathTypeDescription
QRadar.SearchID.SearchIDStringID of the search.

Command Example#

!qradar-searches-list

Context Example#

{
"QRadar": {
"SearchID": [
{
"SearchID": "a0dc7945-9e5b-4637-b4b9-024844a9d209"
},
{
"SearchID": "8081d060-9ee0-4d03-810c-d730ffb885be"
},
{
"SearchID": "37e58ffa-8e4d-48eb-b9d3-c4ff673b99e3"
},
{
"SearchID": "8c5517d0-b37f-45f7-b2e0-5b496d644991"
},
{
"SearchID": "63710473-4a8a-4d2e-b346-9cac9db59ab7"
},
{
"SearchID": "c39e4674-97c3-4123-b439-934f6ac7b5fd"
},
{
"SearchID": "3753e94a-1b3b-4fc6-b923-ec0d04769f2b"
},
{
"SearchID": "b01c9d11-02d0-4693-8df9-70883d6c9b65"
},
{
"SearchID": "10120fba-56f5-4c5c-ab55-cb79bb9890d2"
},
{
"SearchID": "4ef25d6f-e19a-4bef-9a29-dfd5d29aaeae"
},
{
"SearchID": "94f4fecb-114a-41d5-a636-c1bcec09e9ca"
},
{
"SearchID": "0044ffa4-850f-47ed-b79c-1ac298a8a4e3"
},
{
"SearchID": "4e2e81e2-9565-444f-8e06-5aecc0cb156c"
},
{
"SearchID": "2768aca6-52ff-45a0-8343-7470afe1ec54"
},
{
"SearchID": "20b09e0a-1df1-452b-8284-49cc66ea6b32"
},
{
"SearchID": "8c0b8293-7257-450d-92fd-f8701dbde9f3"
},
{
"SearchID": "52bcd78c-cf23-4ad9-beba-aac80e7880da"
},
{
"SearchID": "814b79c1-515a-4a54-90d7-cb0c5a7920c1"
},
{
"SearchID": "f19a88bb-2da7-40d2-8f26-77eac3f84e7d"
},
{
"SearchID": "14478391-2a3c-45f1-910e-3373addd7efe"
},
{
"SearchID": "98176f19-0a4c-454a-8275-ba72f9ffcc0f"
},
{
"SearchID": "12a7d8f0-851d-4b85-9246-c9b0f9239b96"
},
{
"SearchID": "b301b7a3-a524-4870-ac9c-471b907055e6"
},
{
"SearchID": "681c44d1-962c-4fcd-9b7a-53873741e658"
},
{
"SearchID": "800b8bd4-fa8f-48b3-ad6c-3343e65c6613"
},
{
"SearchID": "9322aa46-e30e-41d8-8df6-640fe8a8386b"
},
{
"SearchID": "254c810b-7e29-4e39-b49d-ab4c07bbe4f4"
},
{
"SearchID": "d3190c66-ed5e-4fca-99f8-50a95f498739"
},
{
"SearchID": "f04eabee-aebd-4a46-b76c-dceb80d022ee"
},
{
"SearchID": "6b97b870-f65f-47b0-8179-8d63eb38b3e9"
},
{
"SearchID": "b836df2c-b963-4bb9-9373-7d1bc8b8cdfe"
},
{
"SearchID": "1e4124e6-39a7-42c8-a4db-460aa8304fbd"
},
{
"SearchID": "fa98cf29-1356-48c1-9b3d-36d9bd6cbf34"
},
{
"SearchID": "fd0f3871-1737-4148-93c9-29b11acf57d4"
},
{
"SearchID": "dac2ae5a-26c6-4242-8743-978e20d07325"
},
{
"SearchID": "1fc95e9b-1779-4a2f-a06a-70781b2e0575"
},
{
"SearchID": "94bc9927-4eab-4709-a3e4-df844205d669"
},
{
"SearchID": "df7e25af-a602-42c1-b917-123718d187a2"
},
{
"SearchID": "dece365c-a76b-4774-bd8b-668907a28d27"
},
{
"SearchID": "fc37e5a1-2ea1-4e68-8b71-968f7df91aef"
},
{
"SearchID": "1d021ac3-8e64-4094-99f6-d7db0d04a59a"
},
{
"SearchID": "df9a8e6a-1c9e-4274-9af5-ae09dfc1b7c0"
},
{
"SearchID": "2476a797-ff1b-41c4-9b03-898f1cb4802a"
},
{
"SearchID": "4dfd311b-7190-43b5-9fc1-60bb5382b670"
},
{
"SearchID": "bbde3030-465f-4528-be91-ad69393064fa"
},
{
"SearchID": "678c257f-a3ad-4341-9192-ad6346ea899e"
},
{
"SearchID": "ca6ccbeb-b9fb-4f4a-bdec-ae1323da5d41"
},
{
"SearchID": "9aa18e0a-73b5-4ae7-9cb5-1d40dc9ace7c"
},
{
"SearchID": "dc27202b-5484-41d6-b095-bd9a31b852e3"
},
{
"SearchID": "484a28cf-a984-4e3a-9fd4-0c8f490c7e23"
}
]
}
}

Human Readable Output#

Search ID List#

SearchID
a0dc7945-9e5b-4637-b4b9-024844a9d209
8081d060-9ee0-4d03-810c-d730ffb885be
37e58ffa-8e4d-48eb-b9d3-c4ff673b99e3
8c5517d0-b37f-45f7-b2e0-5b496d644991
63710473-4a8a-4d2e-b346-9cac9db59ab7
c39e4674-97c3-4123-b439-934f6ac7b5fd
3753e94a-1b3b-4fc6-b923-ec0d04769f2b
b01c9d11-02d0-4693-8df9-70883d6c9b65
10120fba-56f5-4c5c-ab55-cb79bb9890d2
4ef25d6f-e19a-4bef-9a29-dfd5d29aaeae
94f4fecb-114a-41d5-a636-c1bcec09e9ca
0044ffa4-850f-47ed-b79c-1ac298a8a4e3
4e2e81e2-9565-444f-8e06-5aecc0cb156c
2768aca6-52ff-45a0-8343-7470afe1ec54
20b09e0a-1df1-452b-8284-49cc66ea6b32
8c0b8293-7257-450d-92fd-f8701dbde9f3
52bcd78c-cf23-4ad9-beba-aac80e7880da
814b79c1-515a-4a54-90d7-cb0c5a7920c1
f19a88bb-2da7-40d2-8f26-77eac3f84e7d
14478391-2a3c-45f1-910e-3373addd7efe
98176f19-0a4c-454a-8275-ba72f9ffcc0f
12a7d8f0-851d-4b85-9246-c9b0f9239b96
b301b7a3-a524-4870-ac9c-471b907055e6
681c44d1-962c-4fcd-9b7a-53873741e658
800b8bd4-fa8f-48b3-ad6c-3343e65c6613
9322aa46-e30e-41d8-8df6-640fe8a8386b
254c810b-7e29-4e39-b49d-ab4c07bbe4f4
d3190c66-ed5e-4fca-99f8-50a95f498739
f04eabee-aebd-4a46-b76c-dceb80d022ee
6b97b870-f65f-47b0-8179-8d63eb38b3e9
b836df2c-b963-4bb9-9373-7d1bc8b8cdfe
1e4124e6-39a7-42c8-a4db-460aa8304fbd
fa98cf29-1356-48c1-9b3d-36d9bd6cbf34
fd0f3871-1737-4148-93c9-29b11acf57d4
dac2ae5a-26c6-4242-8743-978e20d07325
1fc95e9b-1779-4a2f-a06a-70781b2e0575
94bc9927-4eab-4709-a3e4-df844205d669
df7e25af-a602-42c1-b917-123718d187a2
dece365c-a76b-4774-bd8b-668907a28d27
fc37e5a1-2ea1-4e68-8b71-968f7df91aef
1d021ac3-8e64-4094-99f6-d7db0d04a59a
df9a8e6a-1c9e-4274-9af5-ae09dfc1b7c0
2476a797-ff1b-41c4-9b03-898f1cb4802a
4dfd311b-7190-43b5-9fc1-60bb5382b670
bbde3030-465f-4528-be91-ad69393064fa
678c257f-a3ad-4341-9192-ad6346ea899e
ca6ccbeb-b9fb-4f4a-bdec-ae1323da5d41
9aa18e0a-73b5-4ae7-9cb5-1d40dc9ace7c
dc27202b-5484-41d6-b095-bd9a31b852e3
484a28cf-a984-4e3a-9fd4-0c8f490c7e23

qradar-search-create#


Creates a new asynchronous Ariel search. Returns the search ID. Search status and results can be polled by sending the search ID to the 'qradar-search-status-get' and 'qradar-search-results-get' commands. Accepts SELECT query expressions only.

Base Command#

qradar-search-create

Input#

Argument NameDescriptionRequired
query_expressionThe AQL query to execute. Mutually exclusive with saved_search_id.Optional
saved_search_idSaved search ID to execute. Mutually exclusive with query_expression. Saved search ID is the 'id' field returned by the 'qradar-saved-searches-list' command.Optional

Context Output#

PathTypeDescription
QRadar.Search.StatusStringStatus of the newly created search.
QRadar.Search.IDStringID of the newly created search.

Command Example#

!qradar-search-create query_expression="""SELECT "destinationPort" AS 'Destination Port', UniqueCount("sourceIP") AS 'Source IP (Unique Count)', UniqueCount("destinationIP") AS 'Destination IP (Unique Count)', UniqueCount(qid) AS 'Event Name (Unique Count)', UniqueCount(logSourceId) AS 'Log Source (Unique Count)', UniqueCount(category) AS 'Low Level Category (Unique Count)', UniqueCount("protocolId") AS 'Protocol (Unique Count)', UniqueCount("userName") AS 'Username (Unique Count)', MAX("magnitude") AS 'Magnitude (Maximum)', SUM("eventCount") AS 'Event Count (Sum)', COUNT(*) AS 'Count' from events where ( ("creEventList"='100120') or ("creEventList"='100122') or ("creEventList"='100135') AND "eventDirection"='R2L' ) GROUP BY "destinationPort" order by "Event Count (Sum)" desc last 6 hours"""

Context Example#

{
"QRadar": {
"Search": {
"ID": "a1ecef62-5d18-4a84-ba1d-b6c2645e419b",
"Status": "WAIT"
}
}
}

Human Readable Output#

Create Search#

IDStatus
a1ecef62-5d18-4a84-ba1d-b6c2645e419bWAIT

qradar-search-status-get#


Retrieves status information for a search, based on the search ID.

Base Command#

qradar-search-status-get

Input#

Argument NameDescriptionRequired
search_idThe identifier for an Ariel search.Required

Context Output#

PathTypeDescription
QRadar.Search.StatusStringStatus of the search.
QRadar.Search.IDStringID of the search.

Command Example#

!qradar-search-status-get search_id=e69df023-fff8-4d8c-a3b3-04d2b4b4af8a

Context Example#

{
"QRadar": {
"Search": {
"ID": "e69df023-fff8-4d8c-a3b3-04d2b4b4af8a",
"Status": "COMPLETED"
}
}
}

Human Readable Output#

Search Status For Search ID e69df023-fff8-4d8c-a3b3-04d2b4b4af8a#

IDStatus
e69df023-fff8-4d8c-a3b3-04d2b4b4af8aCOMPLETED

qradar-search-results-get#


Retrieves search results.

Base Command#

qradar-search-results-get

Input#

Argument NameDescriptionRequired
search_idThe identifier for an Ariel search.Required
output_pathReplaces the default context output path for the query result (QRadar.Search.Result). E.g., for output_path=QRadar.Correlations, the result will be under the 'QRadar.Correlations' key in the context data.Optional
rangeRange of events to return. (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional

Context Output#

PathTypeDescription
QRadar.Search.ResultUnknownThe result of the search.

Command Example#

!qradar-search-results-get search_id=e69df023-fff8-4d8c-a3b3-04d2b4b4af8a range=0-3

Context Example#

{
"QRadar": {
"SearchResult": [
{
"Destination Port": 5123,
"Source IP (Unique Count)": 1.0,
"Destination IP (Unique Count)": 1.0,
"Event Name (Unique Count)": 1.0,
"Log Source (Unique Count)": 1.0,
"Low Level Category (Unique Count)": 1.0,
"Protocol (Unique Count)": 1.0,
"Username (Unique Count)": 0.0,
"Magnitude (Maximum)": 9.0,
"Event Count (Sum)": 3.0,
"Count": 3.0
},
{
"Destination Port": 52310,
"Source IP (Unique Count)": 1.0,
"Destination IP (Unique Count)": 1.0,
"Event Name (Unique Count)": 1.0,
"Log Source (Unique Count)": 1.0,
"Low Level Category (Unique Count)": 1.0,
"Protocol (Unique Count)": 1.0,
"Username (Unique Count)": 0.0,
"Magnitude (Maximum)": 9.0,
"Event Count (Sum)": 1.0,
"Count": 1.0
},
{
"Destination Port": 54131,
"Source IP (Unique Count)": 1.0,
"Destination IP (Unique Count)": 1.0,
"Event Name (Unique Count)": 1.0,
"Log Source (Unique Count)": 1.0,
"Low Level Category (Unique Count)": 1.0,
"Protocol (Unique Count)": 1.0,
"Username (Unique Count)": 0.0,
"Magnitude (Maximum)": 9.0,
"Event Count (Sum)": 1.0,
"Count": 1.0
},
{
"Destination Port": 51263,
"Source IP (Unique Count)": 1.0,
"Destination IP (Unique Count)": 1.0,
"Event Name (Unique Count)": 1.0,
"Log Source (Unique Count)": 1.0,
"Low Level Category (Unique Count)": 1.0,
"Protocol (Unique Count)": 1.0,
"Username (Unique Count)": 0.0,
"Magnitude (Maximum)": 9.0,
"Event Count (Sum)": 1.0,
"Count": 1.0
}
]
}
}

Human Readable Output#

Search Results For Search ID e69df023-fff8-4d8c-a3b3-04d2b4b4af8a#

CountDestination IP (Unique Count)Destination PortEvent Count (Sum)Event Name (Unique Count)Log Source (Unique Count)Low Level Category (Unique Count)Magnitude (Maximum)Protocol (Unique Count)Source IP (Unique Count)Username (Unique Count)
3.01.051233.01.01.01.09.01.01.00.0
1.01.0523101.01.01.01.09.01.01.00.0
1.01.0541311.01.01.01.09.01.01.00.0
1.01.0512631.01.01.01.09.01.01.00.0

qradar-reference-sets-list#


Retrieves a list of reference sets.

Base Command#

qradar-reference-sets-list

Input#

Argument NameDescriptionRequired
ref_nameThe reference name of the reference set for which to retrieve its details. Specify ref_name to get details about a specific reference set.Optional
date_valueIf set to true will try to convert the data values to ISO-8601 string. Possible values are: True, False. Default is False.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter reference sets, e.g., "timeout_type=FIRST_SEEN". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "name,timeout_type". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--reference_data-sets-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.Reference.TimeoutTypeStringTimeout type of the reference set. Possible values: "UNKNOWN", "FIRST_SEEN", "LAST_SEEN".
QRadar.Reference.NumberOfElementsNumberNumber of elements in the reference set.
QRadar.Reference.TimeToLiveStringTime left to live for the reference.
QRadar.Reference.Data.LastSeenDateDate when this data was last seen.
QRadar.Reference.Data.FirstSeenDateDate when this data was first seen.
QRadar.Reference.Data.SourceStringSource of this data.
QRadar.Reference.Data.ValueStringData value.
QRadar.Reference.CreationTimeDateDate when the reference set was created.
QRadar.Reference.NameStringName of the reference set.
QRadar.Reference.ElementTypeStringType of the elements in the reference set.

Command Example#

!qradar-reference-sets-list filter="timeout_type=FIRST_SEEN"

Context Example#

{
"QRadar": {
"Reference": [
{
"CreationTime": "2015-08-27T19:29:30.114000+00:00",
"ElementType": "IP",
"Name": "Mail Servers",
"NumberOfElements": 8,
"TimeoutType": "FIRST_SEEN"
},
{
"CreationTime": "2015-08-27T19:30:46.455000+00:00",
"ElementType": "IP",
"Name": "Web Servers",
"NumberOfElements": 0,
"TimeoutType": "FIRST_SEEN"
},
{
"CreationTime": "2015-08-27T19:28:55.265000+00:00",
"ElementType": "IP",
"Name": "DNS Servers",
"NumberOfElements": 0,
"TimeoutType": "FIRST_SEEN"
}
]
}
}

Human Readable Output#

Reference Sets List#

NameElementTypeTimeToLiveTimeoutTypeNumberOfElementsCreationTime
Mail ServersIPFIRST_SEEN82015-08-27T19:29:30.114000+00:00
Web ServersIPFIRST_SEEN02015-08-27T19:30:46.455000+00:00
DNS ServersIPFIRST_SEEN02015-08-27T19:28:55.265000+00:00

qradar-reference-set-create#


Creates a new reference set.

Base Command#

qradar-reference-set-create

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set to be created. Reference names can be found by 'Name' field in 'qradar-reference-sets-list' command.Required
element_typeThe element type for the values allowed in the reference set. Possible values are: ALN, ALNIC, NUM, IP, PORT, DATE.Required
timeout_typeIndicates if the time_to_live interval is based on when the data was first seen or last seen. Possible values are: FIRST_SEEN, LAST_SEEN, UNKNOWN. Default is UNKNOWN.Optional
time_to_liveThe time to live interval, time range. for example: '1 month' or '5 minutes'.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "name,timeout_type". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--reference_data-sets-POST.html.Optional

Context Output#

PathTypeDescription
QRadar.Reference.TimeoutTypeStringTimeout type of the reference set. Possible values: "UNKNOWN", "FIRST_SEEN", "LAST_SEEN".
QRadar.Reference.NumberOfElementsNumberNumber of elements in the reference set.
QRadar.Reference.TimeToLiveStringTime left to live for the reference.
QRadar.Reference.Data.LastSeenDateDate when this data was last seen.
QRadar.Reference.Data.FirstSeenDateDate when this data was first seen.
QRadar.Reference.Data.SourceStringSource of this data.
QRadar.Reference.Data.ValueStringData value.
QRadar.Reference.CreationTimeDateDate when the reference set was created.
QRadar.Reference.NameStringName of the reference set.
QRadar.Reference.ElementTypeStringType of the elements in the reference set.

Command Example#

!qradar-reference-set-create element_type=IP ref_name="Malicious IPs" time_to_live="1 year" timeout_type=FIRST_SEEN

Context Example#

{
"QRadar": {
"Reference": {
"CreationTime": "2021-03-03T08:36:41.077000+00:00",
"ElementType": "IP",
"Name": "Malicious IPs",
"NumberOfElements": 0,
"TimeToLive": "1 years 0 mons 0 days 0 hours 0 mins 0.00 secs",
"TimeoutType": "FIRST_SEEN"
}
}
}

Human Readable Output#

Reference Set Create#

NameElementTypeTimeToLiveTimeoutTypeNumberOfElementsCreationTime
Malicious IPsIP1 years 0 mons 0 days 0 hours 0 mins 0.00 secsFIRST_SEEN02021-03-03T08:36:41.077000+00:00

qradar-reference-set-delete#


Removes a reference set or purges its contents.

Base Command#

qradar-reference-set-delete

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set to be deleted. Reference names can be found by 'Name' field in 'qradar-reference-sets-list' command.Required
purge_onlyIndicates if the reference set should have its contents purged (true), keeping the reference set structure. If the value is 'false', or not specified the reference set is removed completely. Possible values are: true, false. Default is false.Optional

Context Output#

There is no context output for this command.

Command Example#

!qradar-reference-set-delete ref_name="Malicious IPs"

Human Readable Output#

Reference Malicious IPs Was Asked To Be Deleted. Current Deletion Status: QUEUED#

qradar-reference-set-value-upsert#


Adds or updates an element in a reference set.

Base Command#

qradar-reference-set-value-upsert

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set to add or update an element in. Reference names can be found by the 'Name' field in the 'qradar-reference-sets-list' command.Required
valueComma-separated list of the values to add or update in the reference set. If the values are dates, the supported date formats are: epoch, ISO, and time range (<number> <time unit>', e.g., 12 hours, 7 days.).Required
sourceAn indication of where the data originated. Default is reference data api.Optional
date_valueTrue if the specified value type was date. Possible values are: true, false.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "name,timeout_type". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--reference_data-sets-name-POST.html.Optional

Context Output#

PathTypeDescription
QRadar.Reference.TimeoutTypeStringTimeout type of the reference set. Possible values: "UNKNOWN", "FIRST_SEEN", "LAST_SEEN".
QRadar.Reference.NumberOfElementsNumberNumber of elements in the reference set.
QRadar.Reference.TimeToLiveStringTime left to live for the reference.
QRadar.Reference.Data.LastSeenDateDate when this data was last seen.
QRadar.Reference.Data.FirstSeenDateDate when this data was first seen.
QRadar.Reference.Data.SourceStringSource of this data.
QRadar.Reference.Data.ValueStringData value.
QRadar.Reference.CreationTimeDateDate when the reference set was created.
QRadar.Reference.NameStringName of the reference set.
QRadar.Reference.ElementTypeStringType of the elements in the reference set.

Command Example#

!qradar-reference-set-value-upsert ref_name="Malicious IPs" value="1.2.3.4,1.2.3.5,192.168.1.3"

Context Example#

{
"QRadar": {
"Reference": {
"CreationTime": "2021-03-03T08:36:41.077000+00:00",
"ElementType": "IP",
"Name": "Malicious IPs",
"NumberOfElements": 3,
"TimeToLive": "1 years 0 mons 0 days 0 hours 0 mins 0.00 secs",
"TimeoutType": "FIRST_SEEN"
}
}
}

Human Readable Output#

Reference Update Create#

NameElementTypeTimeToLiveTimeoutTypeNumberOfElementsCreationTime
Malicious IPsIP1 years 0 mons 0 days 0 hours 0 mins 0.00 secsFIRST_SEEN32021-03-03T08:36:41.077000+00:00

qradar-reference-set-value-delete#


Removes a value from a reference set.

Base Command#

qradar-reference-set-value-delete

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set from which to remove a value. Reference names can be found by the 'Name' field in the 'qradar-reference-sets-list' command.Required
valueThe value to remove from the reference set. If the specified value is date, the supported date formats are: epoch, ISO, and time range (<number> <time unit>, e.g., 12 hours, 7 days.).Required
date_valueTrue if the specified value type was date. Possible values are: True, False.Optional

Context Output#

There is no context output for this command.

Command Example#

!qradar-reference-set-value-delete ref_name="Malicious IPs" value="1.2.3.4"

Human Readable Output#

value: 1.2.3.4 of reference: Malicious IPs was deleted successfully#

qradar-domains-list#


Gets the list of domains. You must have System Administrator or Security Administrator permissions to call this endpoint if you are trying to retrieve the details of all domains. You can retrieve details of domains that are assigned to your Security Profile without having the System Administrator or Security Administrator permissions. If you do not have the System Administrator or Security Administrator permissions, then for each domain assigned to your security profile you can only view the values for the ID and name fields. All other values return null.

Base Command#

qradar-domains-list

Input#

Argument NameDescriptionRequired
domain_idThe domain ID from which to retrieve its details. Specify domain_id to get details about a specific domain.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter domains, e.g., "id > 3". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,name". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--config-domain_management-domains-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.Domains.AssetScannerIDsNumberAsset scanner IDs that are associated with the domain.
QRadar.Domains.CustomPropertiesUnknownCustom properties of the domain.
QRadar.Domains.DeletedBooleanWhether the domain has been deleted.
QRadar.Domains.DescriptionStringDescription of the domain.
QRadar.Domains.EventCollectorIDsNumberEvent collector IDs that are assigned to this domain.
QRadar.Domains.FlowCollectorIDsNumberFlow collector IDs that are assigned to this domain.
QRadar.Domains.FlowSourceIDsNumberFlow source IDs that are assigned to this domain.
QRadar.Domains.IDNumberID of the domain.
QRadar.Domains.LogSourceGroupIDsNumberLog source group IDs that are assigned to this domain.
QRadar.Domains.LogSourceIDsNumberLog source IDs that are assigned to this domain.
QRadar.Domains.NameStringName of the domain.
QRadar.Domains.QVMScannerIDsNumberQVM scanner IDs that are assigned to this domain.
QRadar.Domains.TenantIDNumberID of the tenant that this domain belongs to.

Command Example#

!qradar-domains-list

Context Example#

{
"QRadar": {
"Domains": {
"Deleted": false,
"Description": "",
"ID": 0,
"Name": "",
"TenantID": 0
}
}
}

Human Readable Output#

Domains List#

DeletedIDTenantID
false00

qradar-indicators-upload#


Uploads indicators to QRadar.

Base Command#

qradar-indicators-upload

Input#

Argument NameDescriptionRequired
ref_nameThe name of set to add or update data in. Reference names can be found by the 'Name' field in the 'qradar-reference-sets-list' command.Required
queryThe query for getting indicators from Cortex XSOAR.Optional
limitThe maximum number of indicators to fetch from Cortex XSOAR. Default is 50.Optional
pageThe page from which to get the indicators.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "name,timeout_type". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--reference_data-maps-bulk_load-namespace-name-domain_id-POST.html.Optional

Context Output#

PathTypeDescription
QRadar.Reference.TimeoutTypeStringTimeout type of the reference set. Possible values: "UNKNOWN", "FIRST_SEEN", "LAST_SEEN".
QRadar.Reference.NumberOfElementsNumberNumber of elements in the reference set.
QRadar.Reference.TimeToLiveStringTime left to live for the reference.
QRadar.Reference.Data.LastSeenDateDate when this data was last seen.
QRadar.Reference.Data.FirstSeenDateDate when this data was first seen.
QRadar.Reference.Data.SourceStringSource of this data.
QRadar.Reference.Data.ValueStringData value.
QRadar.Reference.CreationTimeDateDate when the reference set was created.
QRadar.Reference.NameStringName of the reference set.
QRadar.Reference.ElementTypeStringType of the elements in the reference set.

Command Example#

!qradar-indicators-upload ref_name="Mail Servers" limit=2 query="type:IP"

Context Example#

{
"QRadar": {
"Reference": {
"creation_time": "2015-08-27T19:29:30.114000+00:00",
"element_type": "IP",
"name": "Mail Servers",
"number_of_elements": 8,
"timeout_type": "FIRST_SEEN"
}
}
}

Human Readable Output#

Indicators Upload For Reference Set Mail Servers#

creation_timeelement_typenamenumber_of_elementstimeout_type
2015-08-27T19:29:30.114000+00:00IPMail Servers8FIRST_SEEN

Indicators Uploaded#

Indicator TypeIndicator Value
IP1.2.3.4
IP192.168.1.3

qradar-geolocations-for-ip#


Retrieves the MaxMind GeoIP data for the specified IP address.

Base Command#

qradar-geolocations-for-ip

Input#

Argument NameDescriptionRequired
ipComma-separated list of IPs from which to retrieve their geolocation.Required
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "continent,ip_address". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--services-geolocations-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.GeoForIP.CityNameStringName of the city that is associated with the IP address.
QRadar.GeoForIP.ContinentNameStringName of the continent that is associated with the IP address.
QRadar.GeoForIP.LocationAccuracyRadiusNumberThe approximate accuracy radius in kilometers around the latitude and longitude for the IP address.
QRadar.GeoForIP.LocationAverageIncomeNumberThe average income associated with the IP address.
QRadar.GeoForIP.LocationLatitudeNumberThe approximate latitude of the location associated with the IP address.
QRadar.GeoForIP.LocationTimezoneStringTimezone of the location.
QRadar.GeoForIP.LocationLongitudeNumberThe approximate longitude of the location associated with the IP address.
QRadar.GeoForIP.LocationMetroCodeNumberThe metro code associated with the IP address. These are only available for IP addresses in the US. Returns the same metro codes as the Google AdWords API.
QRadar.GeoForIP.LocationPopulationDensityNumberThe estimated number of people per square kilometer.
QRadar.GeoForIP.PhysicalCountryIsoCodeStringISO code of country where MaxMind believes the end user is located.
QRadar.GeoForIP.PhysicalCountryNameStringName of country where MaxMind believes the end user is located.
QRadar.GeoForIP.RegisteredCountryIsoCodeStringISO code of the country that the ISP has registered the IP address.
QRadar.GeoForIP.RegisteredCountryNameStringName of the country that the ISP has registered the IP address.
QRadar.GeoForIP.RepresentedCountryIsoCodeStringISO code of the country that is represented by users of the IP address.
QRadar.GeoForIP.RepresentedCountryNameStringName of the country that is represented by users of the IP address.
QRadar.GeoForIP.RepresentedCountryConfidenceNumberValue between 0-100 that represents MaxMind's confidence that the represented country is correct.
QRadar.GeoForIP.IPAddressStringIP address to look up.
QRadar.GeoForIP.Traits.autonomous_system_numberNumberThe autonomous system number associated with the IP address.
QRadar.GeoForIP.Traits.autonomous_system_organizationStringThe organization associated with the registered autonomous system number for the IP address.
QRadar.GeoForIP.Traits.domainStringThe second level domain associated with the IP address.
QRadar.GeoForIP.Traits.internet_service_providerStringThe name of the internet service provider associated with the IP address.
QRadar.GeoForIP.Traits.organizationStringThe name of the organization associated with the IP address.
QRadar.GeoForIP.Traits.user_typeStringThe user type associated with the IP address.
QRadar.GeoForIP.CoordinatesNumberLatitude and longitude by MaxMind.
QRadar.GeoForIP.PostalCodeStringThe postal code associated with the IP address.
QRadar.GeoForIP.PostalCodeConfidenceNumberValue between 0-100 that represents MaxMind's confidence that the postal code is correct.

Command Example#

!qradar-geolocations-for-ip ip="1.2.3.4,1.2.3.5" range=0-1

Context Example#

{
"QRadar": {
"GeoForIP": [
{
"CityName": "Mukilteo",
"ContinentName": "NorthAmerica",
"Coordinates": [
47.913,
-122.3042
],
"IPAddress": "1.2.3.4",
"LocationAccuracyRadius": 1000,
"LocationLatitude": 47.913,
"LocationLongitude": -122.3042,
"LocationMetroCode": 819,
"LocationTimezone": "America/Los_Angeles",
"PhysicalCountryIsoCode": "US",
"PhysicalCountryName": "United States",
"PostalCode": "98275",
"RegisteredCountryIsoCode": "US",
"RegisteredCountryName": "United States"
},
{
"CityName": "Mukilteo",
"ContinentName": "NorthAmerica",
"Coordinates": [
47.913,
-122.3042
],
"IPAddress": "1.2.3.5",
"LocationAccuracyRadius": 1000,
"LocationLatitude": 47.913,
"LocationLongitude": -122.3042,
"LocationMetroCode": 819,
"LocationTimezone": "America/Los_Angeles",
"PhysicalCountryIsoCode": "US",
"PhysicalCountryName": "United States",
"PostalCode": "98275",
"RegisteredCountryIsoCode": "US",
"RegisteredCountryName": "United States"
}
]
}
}

Human Readable Output#

Geolocation For IP#

CityNameContinentNameCoordinatesIPAddressLocationAccuracyRadiusLocationLatitudeLocationLongitudeLocationMetroCodeLocationTimezonePhysicalCountryIsoCodePhysicalCountryNamePostalCodeRegisteredCountryIsoCodeRegisteredCountryName
MukilteoNorthAmerica47.913,
-122.3042
1.2.3.4100047.913-122.3042819America/Los_AngelesUSUnited States98275USUnited States
MukilteoNorthAmerica47.913,
-122.3042
1.2.3.5100047.913-122.3042819America/Los_AngelesUSUnited States98275USUnited States

qradar-log-sources-list#


Retrieves a list of log sources.

Base Command#

qradar-log-sources-list

Input#

Argument NameDescriptionRequired
qrd_encryption_passwordThe password to use for encrypting the sensitive data of this endpoint. If password was not given, random password will be generated.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter log sources, e.g., "auto_discovered=false". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,name,status". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--config-event_sources-log_source_management-log_sources-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.LogSource.SendingIPStringIP of the system which the log source is associated with, or fed by.
QRadar.LogSource.InternalBooleanWhether log source is internal.
QRadar.LogSource.ProtocolParametersUnknownProtocol parameters.
QRadar.LogSource.DescriptionStringDescription of the log source.
QRadar.LogSource.EnabledBooleanWhether log source is enabled.
QRadar.LogSource.GroupIDsNumberLog source group IDs.
QRadar.LogSource.CredibilityNumberCredibility of the log source.
QRadar.LogSource.IDNumberID of the log source.
QRadar.LogSource.ProtocolTypeIDNumberProtocol type used by log source.
QRadar.LogSource.CreationDateDateDate when log source was created.
QRadar.LogSource.NameStringName of the log source.
QRadar.LogSource.AutoDiscoveredBooleanWhether log source was auto discovered.
QRadar.LogSource.ModifiedDateDateDate when log source was last modified.
QRadar.LogSource.TypeIDNumberThe log source type.
QRadar.LogSource.LastEventTimeDateDate when the last event was received by the log source.
QRadar.LogSource.GatewayBooleanWhether log source is configured as a gateway.
QRadar.LogSource.StatusUnknownStatus of the log source.

Command Example#

!qradar-log-sources-list qrd_encryption_algorithm=AES128

Context Example#

{
"QRadar": {
"LogSource": [
{
"AutoDiscovered": false,
"CreationDate": "2020-10-18T19:40:19.701000+00:00",
"Credibility": 10,
"Description": "Anomaly Detection Engine",
"Enabled": true,
"Gateway": false,
"GroupIDs": [
0
],
"ID": 66,
"Internal": true,
"LastEventTime": "1970-01-01T00:00:00+00:00",
"ModifiedDate": "2020-10-18T19:40:19.701000+00:00",
"Name": "Anomaly Detection Engine-2 :: ip-192.168.1.3",
"ProtocolParameters": [
{
"id": 0,
"name": "identifier",
"value": "127.0.0.1"
},
{
"id": 1,
"name": "incomingPayloadEncoding",
"value": "UTF-8"
}
],
"ProtocolTypeID": 0,
"Status": {
"last_updated": 0,
"status": "NA"
},
"TypeID": 207
},
{
"AutoDiscovered": false,
"CreationDate": "2020-10-18T19:40:19.705000+00:00",
"Credibility": 10,
"Description": "Search Results",
"Enabled": true,
"Gateway": false,
"GroupIDs": [
0
],
"ID": 68,
"Internal": true,
"LastEventTime": "2020-10-18T20:44:40.857000+00:00",
"ModifiedDate": "2020-10-18T19:40:19.705000+00:00",
"Name": "Search Results-2 :: ip-192.168.1.3",
"ProtocolParameters": [
{
"id": 0,
"name": "identifier",
"value": "127.0.0.1"
},
{
"id": 1,
"name": "incomingPayloadEncoding",
"value": "UTF-8"
}
],
"ProtocolTypeID": 0,
"Status": {
"last_updated": 0,
"messages": [
{
"severity": "ERROR",
"text": "Events have not been received from this Log Source in over 720 minutes."
}
],
"status": "ERROR"
},
"TypeID": 355
},
{
"AutoDiscovered": false,
"CreationDate": "2020-10-18T19:40:19.703000+00:00",
"Credibility": 10,
"Description": "Asset Profiler",
"Enabled": true,
"Gateway": false,
"GroupIDs": [
0
],
"ID": 67,
"Internal": true,
"LastEventTime": "2021-03-02T13:51:53.892000+00:00",
"ModifiedDate": "2020-10-18T19:40:19.703000+00:00",
"Name": "Asset Profiler-2 :: ip-192.168.1.3",
"ProtocolParameters": [
{
"id": 0,
"name": "identifier",
"value": "127.0.0.1"
},
{
"id": 1,
"name": "incomingPayloadEncoding",
"value": "UTF-8"
}
],
"ProtocolTypeID": 0,
"Status": {
"last_updated": 0,
"messages": [
{
"severity": "ERROR",
"text": "Events have not been received from this Log Source in over 720 minutes."
}
],
"status": "ERROR"
},
"TypeID": 267
}
]
}
}

Human Readable Output#

Log Sources List#

IDNameDescriptionSendingIPLastEventTimeCreationDateProtocolParametersTypeIDInternalGatewayProtocolTypeIDStatusGroupIDsCredibilityAutoDiscoveredModifiedDateEnabled
66Anomaly Detection Engine-2 :: ip-192.168.1.3Anomaly Detection Engine1970-01-01T00:00:00+00:002020-10-18T19:40:19.701000+00:00{'name': 'identifier', 'id': 0, 'value': '127.0.0.1'},
{'name': 'incomingPayloadEncoding', 'id': 1, 'value': 'UTF-8'}
207truefalse0last_updated: 0
status: NA
010false2020-10-18T19:40:19.701000+00:00true
68Search Results-2 :: ip-192.168.1.3Search Results2020-10-18T20:44:40.857000+00:002020-10-18T19:40:19.705000+00:00{'name': 'identifier', 'id': 0, 'value': '127.0.0.1'},
{'name': 'incomingPayloadEncoding', 'id': 1, 'value': 'UTF-8'}
355truefalse0last_updated: 0
messages: {'severity': 'ERROR', 'text': 'Events have not been received from this Log Source in over 720 minutes.'}
status: ERROR
010false2020-10-18T19:40:19.705000+00:00true
67Asset Profiler-2 :: ip-192.168.1.3Asset Profiler2021-03-02T13:51:53.892000+00:002020-10-18T19:40:19.703000+00:00{'name': 'identifier', 'id': 0, 'value': '127.0.0.1'},
{'name': 'incomingPayloadEncoding', 'id': 1, 'value': 'UTF-8'}
267truefalse0last_updated: 0
messages: {'severity': 'ERROR', 'text': 'Events have not been received from this Log Source in over 720 minutes.'}
status: ERROR
010false2020-10-18T19:40:19.703000+00:00true

qradar-get-custom-properties#


Retrieves a list of event regex properties.

Base Command#

qradar-get-custom-properties

Input#

Argument NameDescriptionRequired
field_nameA comma-separated list of names of the exact properties to search for.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter regex properties, e.g., "auto_discovered=false". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,gateway". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--config-event_sources-custom_properties-regex_properties-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.Properties.identifierStringID of the event regex property.
QRadar.Properties.modification_dateDateDate when the event regex property was last updated.
QRadar.Properties.datetime_formatStringDate/time pattern that the event regex property matches.
QRadar.Properties.property_typeStringProperty type. Possible values: "STRING", "NUMERIC", "IP", "PORT", "TIME".
QRadar.Properties.nameStringName of the event regex property.
QRadar.Properties.auto_discoveredBooleanWhether the event regex property was auto discovered.
QRadar.Properties.descriptionStringDescription of the event regex property.
QRadar.Properties.idNumberID of the event regex property.
QRadar.Properties.use_for_rule_engineBooleanWhether the event regex property is parsed when the event is received.
QRadar.Properties.creation_dateDateDate when the event regex property was created.
QRadar.Properties.localeStringLanguage tag of what locale the property matches.
QRadar.Properties.usernameStringThe owner of the event regex property.

Command Example#

!qradar-get-custom-properties filter="id between 90 and 100" range=1-1231

Context Example#

{
"QRadar": {
"Properties": [
{
"auto_discovered": false,
"creation_date": "2008-09-13T00:52:08.857000+00:00",
"description": "Default custom extraction of the duration in minutes from DSM payload.",
"id": 98,
"identifier": "DEFAULTCUSTOMEVENT3",
"modification_date": "2008-09-13T00:52:08.857000+00:00",
"name": "Duration_Minutes",
"property_type": "numeric",
"use_for_rule_engine": false,
"username": "admin"
},
{
"auto_discovered": false,
"creation_date": "2008-09-13T00:52:08.857000+00:00",
"description": "Default custom extraction of the duration in seconds from DSM payload.",
"id": 99,
"identifier": "DEFAULTCUSTOMEVENT4",
"modification_date": "2008-09-13T00:52:08.857000+00:00",
"name": "Duration_Seconds",
"property_type": "numeric",
"use_for_rule_engine": false,
"username": "admin"
},
{
"auto_discovered": false,
"creation_date": "2008-09-13T00:52:08.857000+00:00",
"description": "Default custom extraction of realm from DSM payload.",
"id": 100,
"identifier": "DEFAULTCUSTOMEVENT5",
"modification_date": "2008-09-13T00:52:08.857000+00:00",
"name": "Realm",
"property_type": "string",
"use_for_rule_engine": false,
"username": "admin"
},
{
"auto_discovered": false,
"creation_date": "2008-09-13T00:52:08.857000+00:00",
"description": "Default custom extraction of role from DSM payload.",
"id": 96,
"identifier": "DEFAULTCUSTOMEVENT1",
"modification_date": "2008-09-13T00:52:08.857000+00:00",
"name": "Role",
"property_type": "string",
"use_for_rule_engine": false,
"username": "admin"
}
]
}
}

Human Readable Output#

Custom Properties#

auto_discoveredcreation_datedescriptionididentifiermodification_datenameproperty_typeuse_for_rule_engineusername
false2008-09-13T00:52:08.857000+00:00Default custom extraction of the duration in minutes from DSM payload.98DEFAULTCUSTOMEVENT32008-09-13T00:52:08.857000+00:00Duration_Minutesnumericfalseadmin
false2008-09-13T00:52:08.857000+00:00Default custom extraction of the duration in seconds from DSM payload.99DEFAULTCUSTOMEVENT42008-09-13T00:52:08.857000+00:00Duration_Secondsnumericfalseadmin
false2008-09-13T00:52:08.857000+00:00Default custom extraction of realm from DSM payload.100DEFAULTCUSTOMEVENT52008-09-13T00:52:08.857000+00:00Realmstringfalseadmin
false2008-09-13T00:52:08.857000+00:00Default custom extraction of role from DSM payload.96DEFAULTCUSTOMEVENT12008-09-13T00:52:08.857000+00:00Rolestringfalseadmin

qradar-reset-last-run#


Resets the fetch incidents last run value, which resets the fetch to its initial fetch state. (Will try to fetch the first available offense). Please Note: It is recommended to disable and then enable the QRadar instance for the reset to take effect immediately.

Base Command#

qradar-reset-last-run

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!qradar-reset-last-run

Human Readable Output#

fetch-incidents was reset successfully.

qradar-ips-source-get#


Get Source IPs

Base Command#

qradar-ips-source-get

Input#

Argument NameDescriptionRequired
source_ipComma separated list. Source IPs to retrieve their data, E.g "192.168.0.1,192.160.0.2".Optional
filterQuery to filter IPs. E.g, filter=source_ip="192.168.0.1". For reference please consult: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsIf used, will filter all fields except for the ones specified. Use this argument to specify which fields should be returned in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object separated by commas. The filter uses QRadar's field names, for reference, consult: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--siem-source_addresses-GET.htmlOptional
rangeRange of results to return. e.g.: 0-20.Optional

Context Output#

PathTypeDescription
QRadar.SourceIP.IDNumberThe ID of the destination address.
QRadar.SourceIP.DomainIDStringThe ID of associated domain.
QRadar.SourceIP.EventFlowCountNumberThe number of events and flows that are associated with the destination address.
QRadar.SourceIP.FirstEventFlowSeenDateDate when the first event or flow was seen.
QRadar.SourceIP.LastEventFlowSeenDateDate when the last event or flow was seen.
QRadar.SourceIP.SourceIPStringThe IP address.
QRadar.SourceIP.MagnitudeNumberThe magnitude of the destination address.
QRadar.SourceIP.NetworkStringThe network of the destination address.
QRadar.SourceIP.OffenseIDsUnknownList of offense IDs the destination address is part of.
QRadar.SourceIP.LocalDestinationAddressIDsUnknownList of local destination address IDs associated with the source address.

Command Example#

!qradar-ips-source-get filter=`source_ip="172.42.18.211"` range=0-2

Context Example#

{
"QRadar": {
"SourceIP": {
"DomainID": 0,
"EventFlowCount": 1081,
"FirstEventFlowSeen": "2021-03-31T10:02:25.972000+00:00",
"ID": 1,
"LastEventFlowSeen": "2021-08-14T09:59:52.596000+00:00",
"LocalDestinationAddressIDs": [
1,
2,
3,
4,
5
],
"Magnitude": 0,
"Network": "Net-10-172-192.Net_172_16_0_0",
"OffenseIDs": [
1,
4,
5,
9,
10,
11
],
"SourceIP": "172.42.18.211"
}
}
}

Human Readable Output#

Source IPs#

DomainIDEventFlowCountFirstEventFlowSeenIDLastEventFlowSeenLocalDestinationAddressIDsMagnitudeNetworkOffenseIDsSourceIP
010812021-03-31T10:02:25.972000+00:0012021-08-14T09:59:52.596000+00:001,
2,
3,
4,
5
0Net-10-172-192.Net_172_16_0_01,
4,
5,
9,
10,
11,
12,
13,
14,
15,
16,
17,
18,
19,
20,
21,
22,
23,
24,
25,
27,
28,
29,
30,
31,
32,
33,
34,
35,
36,
37,
38,
39,
40,
41,
42
172.42.18.211

qradar-ips-local-destination-get#


Get Source IPs

Base Command#

qradar-ips-local-destination-get

Input#

Argument NameDescriptionRequired
local_destination_ipComma separated list. Local destination IPs to retrieve their data, E.g "192.168.0.1,192.160.0.2".Optional
filterIf used, will filter all fields except for the ones specified. Use this argument to specify which fields should be returned in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object separated by commas. The filter uses QRadar's field names, for reference, consult: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--siem-local_destination_addresses-GET.html.Optional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object separated by commas. The filter uses QRadar's field names, for reference, consult: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--siem-local_destination_addresses-GET.html.Optional
rangeRange of results to return. e.g.: 0-20.Optional

Context Output#

PathTypeDescription
QRadar.LocalDestinationIP.IDNumberThe ID of the destination address.
QRadar.LocalDestinationIP.DomainIDStringThe ID of associated domain.
QRadar.LocalDestinationIP.EventFlowCountNumberThe number of events and flows that are associated with the destination address.
QRadar.LocalDestinationIP.FirstEventFlowSeenDateDate when the first event or flow was seen.
QRadar.LocalDestinationIP.LastEventFlowSeenDateDate when the last event or flow was seen.
QRadar.LocalDestinationIP.LocalDestinationIPStringThe IP address.
QRadar.LocalDestinationIP.MagnitudeNumberThe magnitude of the destination address.
QRadar.LocalDestinationIP.NetworkStringThe network of the destination address.
QRadar.LocalDestinationIP.OffenseIDsUnknownList of offense IDs the destination address is part of.
QRadar.LocalDestinationIP.SourceAddressIDsUnknownList of source address IDs associated with the destination address.

Command Example#

``!qradar-ips-local-destination-get filter=local_destination_ip="172.42.18.211"````

Context Example#

{
"QRadar": {
"LocalDestinationIP": {
"DomainID": 0,
"EventFlowCount": 1635,
"FirstEventFlowSeen": "2021-03-31T10:02:25.965000+00:00",
"ID": 1,
"LastEventFlowSeen": "2021-08-14T09:59:52.596000+00:00",
"LocalDestinationIP": "172.42.18.211",
"Magnitude": 0,
"Network": "Net-10-172-192.Net_172_16_0_0",
"OffenseIDs": [
1,
4,
5
],
"SourceAddressIDs": [
1,
2
]
}
}
}

Human Readable Output#

Local Destination IPs#

DomainIDEventFlowCountFirstEventFlowSeenIDLastEventFlowSeenLocalDestinationIPMagnitudeNetworkOffenseIDsSourceAddressIDs
016352021-03-31T10:02:25.965000+00:0012021-08-14T09:59:52.596000+00:00172.42.18.2110Net-10-172-192.Net_172_16_0_01,
4,
5,
9,
10,
11,
12,
13,
14,
15,
16,
17,
18,
19,
20,
21,
22,
23,
24,
25,
26,
27,
28,
29,
30,
31,
32,
33,
34,
35,
36,
37,
38,
39,
40,
41,
42
1,
2

qradar-search-retrieve-events#


Polling command to search for events of a specific offense. This uses the instance parameters to create the AQL search query for the events.

Base Command#

qradar-search-retrieve-events

Input#

Argument NameDescriptionRequired
offense_idThe ID of the offense to retrieve.Optional
query_expressionThe AQL query to execute. Mutually exclusive with the other arguments.Optional
retry_if_not_all_fetchedWhether to retry until all events are polled or stop when the first search is completed.Optional
search_idThe search id to query the results.Optional
events_limitThe number of events to return. Mutually exclusive with query_expression.Optional
events_columnsTComma separated list of columns to return. Mutually exclusive with query_expression.Optional
fetch_modeThe mode to use when fetching events. Mutually exclusive with query_expression.Optional
start_timeThe start time of the search. Mutually exclusive with query_expressionOptional
search_idThe search id to query the results.Optional
search_idThe search id to query the results.Optional

Context Output#

PathTypeDescription
QRadar.SearchEvents.EventsUnknownThe events from QRadar search.
QRadar.SearchEvents.IDStringThe search id.
QRadar.SearchEvents.StatusStringThe status of the search.

"wait": The search status is waiting for results. "partial": The search returned partial results. "sucecss": The search returned desired results |

Command example#

!qradar-get-events-polling offense_id=194

Human Readable Output#

Events for offense 194#

categoryname_categorycategoryname_highlevelcategorycredibilitydestinationgeographiclocationdestinationipdestinationportdestinationv6devicetimeeventDirectioneventcountlogsourcename_logsourceidlogsourcetypename_devicetypemagnitudepostNatDestinationIPpostNatDestinationPortpostNatSourceIPpostNatSourcePortpreNatDestinationPortpreNatSourceIPpreNatSourcePortprotocolname_protocolidqiddescription_qidqidname_qidrulename_creEventListseveritysourceMACsourcegeographiclocationsourceipsourceportsourcev6starttimeusernameutf8_payload
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-07-11T10:00:17.447000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-07-11T10:00:17.447000+00:00Administrator<13>Jul 11 10:00:13 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=1062969 TimeGenerated=1657533610 TimeWritten=1657533610 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-07-11 10:00:10.023 ProcessGuid: {E3E61DAB-F4AA-62CB-0100-00105274F412} ProcessId: 2660 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-F4A1-62CB-0100-0010B14FF412} ParentProcessId: 3248 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-07-10T10:00:25.313000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-07-10T10:00:25.313000+00:00Administrator<13>Jul 10 10:00:13 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=1056766 TimeGenerated=1657447209 TimeWritten=1657447209 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-07-10 10:00:09.706 ProcessGuid: {E3E61DAB-A329-62CA-0100-00105FA97D12} ProcessId: 4092 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-A321-62CA-0100-0010ED847D12} ParentProcessId: 7100 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-07-09T10:00:24.260000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-07-09T10:00:24.260000+00:00Administrator<13>Jul 09 10:00:10 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=1049952 TimeGenerated=1657360808 TimeWritten=1657360808 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-07-09 10:00:08.781 ProcessGuid: {E3E61DAB-51A8-62C9-0100-0010F8620812} ProcessId: 5900 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-51A1-62C9-0100-0010013C0812} ParentProcessId: 2336 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-07-08T10:00:20.193000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-07-08T10:00:20.193000+00:00Administrator<13>Jul 08 10:00:10 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=1043694 TimeGenerated=1657274408 TimeWritten=1657274408 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-07-08 10:00:08.715 ProcessGuid: {E3E61DAB-0028-62C8-0100-001084059111} ProcessId: 5192 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-0021-62C8-0100-001021E19011} ParentProcessId: 1572 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-07-07T10:00:21.084000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-07-07T10:00:21.084000+00:00Administrator<13>Jul 07 10:00:10 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=1037501 TimeGenerated=1657188009 TimeWritten=1657188009 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-07-07 10:00:09.325 ProcessGuid: {E3E61DAB-AEA9-62C6-0100-001085CC1911} ProcessId: 3628 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-AEA1-62C6-0100-001020A81911} ParentProcessId: 1820 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-07-06T10:00:20.516000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-07-06T10:00:20.516000+00:00Administrator<13>Jul 06 10:00:10 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=1031296 TimeGenerated=1657101609 TimeWritten=1657101609 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-07-06 10:00:09.214 ProcessGuid: {E3E61DAB-5D29-62C5-0100-0010E2D0A210} ProcessId: 1148 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-5D21-62C5-0100-001046ACA210} ParentProcessId: 3708 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-07-05T10:00:18.837000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-07-05T10:00:18.837000+00:00Administrator<13>Jul 05 10:00:10 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=1025096 TimeGenerated=1657015208 TimeWritten=1657015208 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-07-05 10:00:08.306 ProcessGuid: {E3E61DAB-0BA8-62C4-0100-0010AC8A2B10} ProcessId: 908 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-0BA1-62C4-0100-001097662B10} ParentProcessId: 6176 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-07-04T10:00:16.775000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-07-04T10:00:16.775000+00:00Administrator<13>Jul 04 10:00:10 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=1018907 TimeGenerated=1656928809 TimeWritten=1656928809 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-07-04 10:00:09.253 ProcessGuid: {E3E61DAB-BA29-62C2-0100-001018BFB40F} ProcessId: 2216 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-BA21-62C2-0100-0010B19AB40F} ParentProcessId: 1108 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-07-03T10:00:27.737000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-07-03T10:00:27.737000+00:00Administrator<13>Jul 03 10:00:13 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=1012720 TimeGenerated=1656842409 TimeWritten=1656842409 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-07-03 10:00:09.473 ProcessGuid: {E3E61DAB-68A9-62C1-0100-001095953D0F} ProcessId: 304 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-68A1-62C1-0100-001025713D0F} ParentProcessId: 2588 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-07-02T10:00:22.691000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-07-02T10:00:22.691000+00:00Administrator<13>Jul 02 10:00:10 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=1006529 TimeGenerated=1656756008 TimeWritten=1656756008 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-07-02 10:00:08.470 ProcessGuid: {E3E61DAB-1728-62C0-0100-0010FDDBC60E} ProcessId: 6352 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-1721-62C0-0100-0010F5B7C60E} ParentProcessId: 5976 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-07-01T10:00:27.596000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-07-01T10:00:27.596000+00:00Administrator<13>Jul 01 10:00:10 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=1000331 TimeGenerated=1656669609 TimeWritten=1656669609 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-07-01 10:00:09.068 ProcessGuid: {E3E61DAB-C5A9-62BE-0100-00101B5C4F0E} ProcessId: 3688 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-C5A1-62BE-0100-00105D374F0E} ParentProcessId: 5388 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-06-30T10:00:23.086000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-06-30T10:00:23.086000+00:00Administrator<13>Jun 30 10:00:10 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=994137 TimeGenerated=1656583208 TimeWritten=1656583208 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-06-30 10:00:08.646 ProcessGuid: {E3E61DAB-7428-62BD-0100-00105BDDD70D} ProcessId: 4392 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-7421-62BD-0100-001093B8D70D} ParentProcessId: 1568 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-06-28T10:00:18.327000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-06-28T10:00:18.327000+00:00Administrator<13>Jun 28 10:00:10 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=981737 TimeGenerated=1656410408 TimeWritten=1656410408 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-06-28 10:00:08.567 ProcessGuid: {E3E61DAB-D128-62BA-0100-00104618EA0C} ProcessId: 4984 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-D121-62BA-0100-0010EEF3E90C} ParentProcessId: 2008 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-06-27T10:00:29.288000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-06-27T10:00:29.288000+00:00Administrator<13>Jun 27 10:00:13 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=975545 TimeGenerated=1656324009 TimeWritten=1656324009 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-06-27 10:00:09.442 ProcessGuid: {E3E61DAB-7FA9-62B9-0100-001025A5730C} ProcessId: 6868 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-7FA1-62B9-0100-00106F80730C} ParentProcessId: 2008 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-06-26T10:00:21.778000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-06-26T10:00:21.778000+00:00Administrator<13>Jun 26 10:00:10 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=969350 TimeGenerated=1656237609 TimeWritten=1656237609 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-06-26 10:00:09.233 ProcessGuid: {E3E61DAB-2E29-62B8-0100-0010B33EFC0B} ProcessId: 6956 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-2E21-62B8-0100-0010B919FC0B} ParentProcessId: 6984 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-06-25T10:00:25.179000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-06-25T10:00:25.179000+00:00Administrator<13>Jun 25 10:00:10 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=963149 TimeGenerated=1656151209 TimeWritten=1656151209 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-06-25 10:00:09.247 ProcessGuid: {E3E61DAB-DCA9-62B6-0100-0010B277850B} ProcessId: 5568 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-DCA1-62B6-0100-0010C752850B} ParentProcessId: 5188 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-06-24T10:00:28.082000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-06-24T10:00:28.082000+00:00Administrator<13>Jun 24 10:00:10 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=956953 TimeGenerated=1656064808 TimeWritten=1656064808 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-06-24 10:00:08.676 ProcessGuid: {E3E61DAB-8B28-62B5-0100-00104B390E0B} ProcessId: 5216 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-8B21-62B5-0100-00106C140E0B} ParentProcessId: 6292 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-06-23T10:00:22.536000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-06-23T10:00:22.536000+00:00Administrator<13>Jun 23 10:00:10 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=950763 TimeGenerated=1655978409 TimeWritten=1655978409 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-06-23 10:00:09.018 ProcessGuid: {E3E61DAB-39A9-62B4-0100-00105655970A} ProcessId: 6028 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-39A1-62B4-0100-00107230970A} ParentProcessId: 4024 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-06-22T10:00:24.232000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-06-22T10:00:24.232000+00:00Administrator<13>Jun 22 10:00:13 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=944558 TimeGenerated=1655892009 TimeWritten=1655892009 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-06-22 10:00:09.689 ProcessGuid: {E3E61DAB-E829-62B2-0100-0010B36C200A} ProcessId: 2016 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-E821-62B2-0100-0010CC47200A} ParentProcessId: 2340 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"
Potential Windows ExploitPotential Exploit10other1.1.1.100:0:0:0:0:0:0:02022-06-21T10:00:26.080000+00:00R2R1Custom Rule Engine-8 :: ip-172-31-41-4Custom Rule Engine80.0.0.000.0.0.0000.0.0.00ReservedBlacklisted hash detected in useBlacklisted hash detected in useDetected process with blacklist file hash,
BB:NetworkDefinition: Honeypot like Addresses,
BB:CategoryDefinition: Suspicious Event Categories,
BB:CategoryDefinition: Suspicious Events,
ECBB:CategoryDefinition: Destination IP is a Third Country/Region,
BB:CategoryDefinition: Medium Magnitude Events,
BB:CategoryDefinition: High Magnitude Events,
Source Asset Weight is Low,
Exploits Events with High Magnitude Become Offenses,
Source Address is a Bogon IP,
Destination Asset Weight is Low,
BB:NetworkDefinition: Darknet Addresses,
BB:BehaviorDefinition: Compromise Activities,
Load Basic Building Blocks
1000:00:00:00:00:00other1.1.1.100:0:0:0:0:0:0:02022-06-21T10:00:26.080000+00:00Administrator<13>Jun 21 10:00:10 1.1.1.1 AgentDevice=WindowsLog AgentLogFile=Microsoft-Windows-Sysmon/Operational PluginVersion=1.1.1.1 Source=Microsoft-Windows-Sysmon Computer=EC2AMAZ-ETKN6IA OriginatingComputer=EC2AMAZ-ETKN6IA User=SYSTEM Domain=NT AUTHORITY EventID=1 EventIDCode=1 EventType=4 EventCategory=1 RecordNumber=938367 TimeGenerated=1655805608 TimeWritten=1655805608 Level=Informational Keywords=0x8000000000000000 Task=SysmonTask-SYSMON_CREATE_PROCESS Opcode=Info Message=Process Create: RuleName: UtcTime: 2022-06-21 10:00:08.128 ProcessGuid: {E3E61DAB-96A8-62B1-0100-00108357A909} ProcessId: 5824 Image: C:\Program Files\Internet Explorer\iexplore.exe FileVersion: 11.00.14393.2007 (rs1_release.171231-1800) Description: Internet Explorer Product: Internet Explorer Company: Microsoft Corporation OriginalFileName: IEXPLORE.EXE CommandLine: "C:\Program Files\Internet Explorer\iexplore.exe" CurrentDirectory: C:\Windows\system32\ User: EC2AMAZ-ETKN6IA\Administrator LogonGuid: {E3E61DAB-9C68-5F54-0000-0020EB970200} LogonId: 0x297EB TerminalSessionId: 2 IntegrityLevel: High Hashes: SHA1=D4ABAC114DBE28BAD8855C10D37F2B727177C9CA ParentProcessGuid: {E3E61DAB-96A1-62B1-0100-00103D33A909} ParentProcessId: 4092 ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe ParentCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -F "C:\Users\Administrator\Desktop\playbook.ps1"

qradar-remote-network-cidr-create#


Create remote network CIDRs.

Base Command#

qradar-remote-network-cidr-create

Input#

Argument NameDescriptionRequired
cidrsAn input list of CIDRs to add to QRadar (can be obtained automatically from the EDL integrations and playbook).
Multiple values in the same object are separated by commas.
A CIDR or query is required.
Optional
queryThe query for getting indicators from Cortex XSOAR.
A CIDR or query is required.
Optional
nameA CIDR (remote network) name that will be displayed for all uploaded values in QRadar.Required
descriptionDescription that will be displayed and associated with all the newly uploaded CIDRs on QRadar.Required
groupThe exact name of the remote network group that CIDRs should be associated with as it appears in QRadar. A single group can be assigned to each create command.
A new remote network group can be created in QRadar by giving a new unique remote network group name (that does not already exist in QRadar remote networks).
Required
fieldsUse this parameter to specify which fields you would like to get back in the response.
Fields that are not named are excluded from the output.
The possible fields are id, group, name, cidr, and description.
Optional

Context Output#

There is no context output for this command.

Command example#

!qradar-remote-network-cidr-create cidrs=1.2.3.4/32,8.8.8.8/2 name=example_name description=example_description group=example_group

Human Readable Output#

The new staged remote network was successfully created.#

cidrs1.2.3.4/32,
8.8.8.8/2
descriptionexample_description
groupexample_group
id12
nameexample_name

qradar-remote-network-cidr-list#


Retrieves a list of staged remote networks.

Base Command#

qradar-remote-network-cidr-list

Input#

Argument NameDescriptionRequired
limitThe maximum number of results to return. The default is 50.Optional
pageThe page number from which to start getting results.Optional
page_sizeThe number of results to return per page.Optional
groupThe name of the remote network group that CIDRs are associated with, as it appears in QRadar.Optional
idId of CIDR (remote network).Optional
nameThe name of the CIDRs (remote network) that appear in QRadar.Required
filterAdditional options to filter results using a query expression.Optional
fieldsUse this parameter to specify which fields you would like to get back in the response.
Fields that are not named are excluded from the output.
The possible fields are id, group, name, cidr, and description.
Optional

Context Output#

PathTypeDescription
QRadar.RemoteNetworkCIDRNumberA list of all the retrieved CIDRs.
QRadar.RemoteNetworkCIDR.idNumberID of each CIDR remote network that is part of the group.
QRadar.RemoteNetworkCIDR.nameStringThe associated CIDR name as it appears in QRadar.
QRadar.RemoteNetworkCIDR.descriptionStringThe associated CIDR description as it appears in QRadar.

Command example#

!qradar-remote-network-cidr-list range=0-1

Human Readable Output#

List of the staged remote networks#

cidrsdescriptiongroupidname
1.2.3.4/32,
8.8.8.8/2
example_descriptionexample_group112example_name
127.0.0.1/32example_descriptionexample_group213example_name

qradar-remote-network-cidr-delete#


Deletes an existing staged remote network.

Base Command#

qradar-remote-network-cidr-delete

Input#

Argument NameDescriptionRequired
idID that is used to locate the staged remote network to remove from QRadar.Required

Context Output#

There is no context output for this command.

Command example#

!qradar-remote-network-cidr-list id=1,2,3,4

Human Readable Output#

Successfully deleted the following remote network#

ID
1
4

Failed to delete the following remote network#

IDError
2Error in API call [404] - 404
Delete failed. Staged remote network with id=2 does not exist.
3Error in API call [404] - 404
Delete failed. Staged remote network with id=3 does not exist.

qradar-remote-network-cidr-update#


Updates an existing staged remote network.

Base Command#

qradar-remote-network-cidr-update

Input#

Argument NameDescriptionRequired
idThe ID that is associated with the CIDR object that needs to be modified.Required
nameThe CIDR name in QRadar. If the CIDR name should be changed, it can be inserted here.Required
cidrsAn input list of CIDRs to add to QRadar (can be obtained automatically from the EDL integrations and playbook).
Multiple values in the same object are separated by commas.
A CIDR or query is required.
Optional
queryThe query for getting indicators from Cortex XSOAR.
A CIDR or query is required.
Optional
descriptionCIDR associated description presented in QRadar.
If the CIDR description should be changed, it can be inserted here.
Required
groupThe remote network group that CIDRs should belong to.
If the CIDR-associated group should be changed, it can be inserted here.
Required
fieldsUse this parameter to specify which fields you would like to get back in the response.
Fields that are not named are excluded.
Specify subfields in brackets, and multiple fields in the same object are separated by commas.
The possible fields are id,group,name,cidr,description.
Optional

Context Output#

PathTypeDescription
QRadar.RemoteNetworkCIDRNumberA list of all the CIDR ranges that were changed.
QRadar.RemoteNetworkCIDR.idNumberThe associated CIDR ID.
QRadar.RemoteNetworkCIDR.nameStringThe associated CIDR name.
QRadar.RemoteNetworkCIDR.groupStringThe group to which the remote network belongs.
QRadar.RemoteNetworkCIDR.descriptionStringThe associated CIDR description.

Command example#

!qradar-remote-network-cidr-update id=45 name="Malicious-IPs-for-blocking" description="Malicious-IPs-for-blocking" group=testenv cidrs=1.2.3.4/8,5.6.7.8/32

Human Readable Output#

List of the staged remote networks#

cidrs1.2.3.4/8,
5.6.7.8/32
description Malicious-IPs-for-blocking
grouptestenv
id45
nameMalicious-IPs-for-blocking

qradar-remote-network-deploy-execution#


Executes a deployment.

Base Command#

qradar-remote-network-deploy-execution

Input#

Argument NameDescriptionRequired
host_ipThe IP of the QRadar console host.Required
statusThe deployment status. Must be in capital letters (“INITIATING”).Optional
deployment_typeThe deployment type. Must be in capital letters (“INCREMENTAL” or “FULL”).Required

Context Output#

PathTypeDescription
QRadar.deploy.statusStringThe deployment status (INITIALIZING, IN_PROGRESS, COMPLETE).

Command example#

!qradar-remote-network-deploy-execution status=INITIATING deployment_type=INCREMENTAL host_ip=127.0.0.1

Human Readable Output#

The remote network deploy execution was successfully created.