Skip to main content

IBM QRadar v3

This Integration is part of the IBM QRadar Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

IBM QRadar SIEM helps security teams accurately detect and prioritize threats across the enterprise, supports API versions 10.1 and above. Provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents. This integration was integrated and tested with version 14-20 of QRadar v3

Configure IBM QRadar v3 on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for IBM QRadar v3.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Server URL(e.g., https://1.1.1.1\)True
    UsernameTrue
    PasswordTrue
    QRadar API VersionAPI version of QRadar (e.g., '12.0'). Minimum API version is 10.1.True
    Incident TypeFalse
    First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)if no offenses are found within the range of first fetch, will be set to fetch the earliest offense.False
    Fetch modeTrue
    Retry events fetchWhenever enabled, the integration retries to fetch all events if the number of events fetched is less than `event_count`. Default number of tries is 3, but can be configured via the Advanced Parameter: EVENTS_SEARCH_TRIES. e.g EVENTS_SEARCH_TRIES=5False
    Maximum number of events per incident.The maximal amount of events to pull per incident.False
    Number of offenses to pull per API call (max 50)In case of mirroring with events, this value will be used for mirroring API calls as well, and it is advised to have a small value.False
    Query to fetch offenses.Define a query to determine which offenses to fetch. E.g., "severity >= 4 AND id > 5". filtering by status in the query may result in unexpected behavior when changing an incident's status.False
    Incidents EnrichmentIPs enrichment transforms IDs of the IPs of the offense to IP values. Asset enrichment adds correlated assets to the fetched offenses.True
    Event fields to return from the events query (WARNING: This parameter is correlated to the incoming mapper and changing the values may adversely affect mapping).The parameter uses the AQL SELECT syntax. For more information, see: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.4/com.ibm.qradar.doc/c_aql_intro.htmlFalse
    Mirroring OptionsHow mirroring from QRadar to Cortex XSOAR should be done, available from QRadar 7.3.3 Fix Pack 3. For further explanation on how to check your QRadar version, see the integration documentation at https://xsoar.pan.dev.False
    Close Mirrored XSOAR IncidentWhen selected, closing the QRadar offense is mirrored in Cortex XSOAR.False
    The number of incoming incidents to mirror each timeMaximum number of incoming incidents to mirror each time.False
    Advanced ParametersComma-separated configuration for advanced parameter values. E.g., EVENTS_INTERVAL_SECS=20,FETCH_SLEEP=5False
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
    Timeout for http-requestsThe timeout of the HTTP requests sent to the Qradar API (in seconds). If no value is provided, the timeout will be set to 60 seconds.False
    Fetch Incidents IntervalThe fetch interval between before each fetch-incidents execution. (seconds)False
  4. Click Test to validate the URLs, token, and connection.

Required Permissions#

ComponentPermission
AssetsVulnerability Management or Assets
DomainsAdmin
Offenses (Manage Closing Reason)Manage Offense Closing Reasons
Offenses (Assign Offenses to Users)Assign Offenses to Users
Offenses (Read)Offenses
References (Create/Update)Admin
References (Read)View Reference Data

Mapping Limitation for Cortex XSOAR Versions below 6.0.0#

The Pull from instance option to create a new mapper is not supported in Cortex XSOAR versions below 6.0.0.

Creating a Classifier Using the Pull from instance Parameter#

QRadar fetches incidents using a long-running execution, not in real time. Therefore, Pull from instance pulls incidents from the QRadar service to create a classifier using samples, not real time data. This results in seeing the latest sample stored, and not the latest offense that was fetched.

Important Note Regarding the Query to fetch offenses Parameter#

The Query to fetch offenses feature enables defining a specific query for offenses to be retrieved, e.g., 'status = OPEN and id = 5'. The QRadar integration keeps track of IDs that have already been fetched in order to avoid duplicate fetching.
If you change the Query to fetch offenses value, it will not re-fetch offenses that have already been fetched. To re-fetch those offenses, run the qradar-reset-last-run command.
Note:
The list of QRadar IDs that were already fetched will be reset and duplicate offenses could be re-fetched, depending on the user query.

Migration from QRadar v2 to QRadar v3#

Every command and playbook that runs in QRadar v2 also runs in QRadar v3. No adjustments are required.

Additions and Changes from QRadar v2 to QRadar v3#

New Commands#

  • qradar-rule-groups-list
  • qradar-searches-list
  • qradar-geolocations-for-ip
  • qradar-log-sources-list
  • qradar-upload-indicators
  • get-modified-remote-data

Command Name Changes#

QRadar v2 commandQRadar V3 commandNotes
qradar-offensesqradar-offenses-list
qradar-offense-by-idqradar-offenses-listSpecify the offense_id argument in the command.
qradar-update-offenseqradar-offense-update
qradar-get-closing-reasonsqradar-closing-reasons
qradar-get-noteqradar-offense-notes-list
qradar-create-noteqradar-offense-note-create
qradar-get-assetsqradar-assets-list
qradar-get-asset-by-idqradar-assets-listSpecify the asset_id argument in the command.
qradar-searchesqradar-search-create
qradar-get-searchqradar-search-status-get
qradar-get-search-resultsqradar-search-results-get
qradar-get-reference-by-nameqradar-reference-sets-listSpecify the ref_name argument in the command.
qradar-create-reference-setqradar-reference-set-create
qradar-delete-reference-setqradar-reference-set-delete
qradar-create-reference-set-valueqradar-reference-set-value-upsert
qradar-update-reference-set-valueqradar-reference-set-value-upsert
qradar-delete-reference-set-valueqradar-reference-set-value-delete
qradar-get-domainsqradar-domains-list
qradar-domains-listqradar-get-domain-by-idSpecify the domain_id argument in the command.

Mirroring#

This integration supports in mirroring from QRadar offenses to Cortex XSOAR.
When a field of an offense is updated in QRadar services, the update is mirrored in Cortex XSOAR.

Mirroring Events#

  • Mirroring events from QRadar to Cortex XSOAR is supported via the Mirror Offense and Events option.
  • Events will only be mirrored in the incoming direction.
  • Mirroring events will only work when the Long running instance parameter is enabled.
  • Filtering events using the events_limit and events_columns options for mirrored incidents will be the same as in the fetched incidents.
  • The integration will always mirror the events that occurred first in each offense.

For more information about mirroring configurations, see here.

Use the API Token Instead of Username and Password#

  • In the Username / API Key field, type _api_token_key.
  • In the Password field, type your API token.

Choose Your API Version#

  1. Visit the QRadar API versions page for a full list of available API versions according to the QRadar version.
  2. Choose one of the API versions listed under the Supported REST API versions column in the line corresponding to your QRadar version.

Note:
If you're uncertain which API version to use, it is recommended to use the latest API version listed in the Supported REST API versions column in the line corresponding to your QRadar version.

View Your QRadar Version#

  1. Enter QRadar service.
  2. Click the Menu toolbar. A scrolling toolbar will appear.
  3. Click About. A new window will appear with the details of your QRadar version.

Troubleshooting#

When Fetch with events is configured, the integration will fetch the offense events from QRadar. Nevertheless, some events may not be available when trying to fetch them during an incident creation. If Retry events fetch is enabled, the integration tries to fetch more events when the number fetched is less than the expected event_count. In the default setting, the integration will try 3 times, with a wait time of 100 seconds between retries. In order to change the default values, configure the following Advanced Parameters in the instance configuration:

EVENTS_SEARCH_TRIES=<amount of tries for events search> (default 3),EVENTS_SEARCH_RETRY_SECONDS=<amount of seconds to wait between tries> (default 100),EVENTS_POLLING_TRIES=<number of times to poll for one search> (default 10),

It is recommended to enable mirroring, as it should fetch previously missed events when the offense is updated. Alternatively, the retrieve events command can be used to retrieve the events immediately. If the command takes too long to finish executing, try setting the interval_in_seconds to a lower value (down to a minimum of 10 seconds).

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

qradar-offenses-list#


Gets offenses from QRadar.

Base Command#

qradar-offenses-list

Input#

Argument NameDescriptionRequired
offense_idThe offense ID to retrieve its details. Specify offense_id to get details about a specific offense.Optional
enrichmentIPs enrichment transforms IDs of the IPs of the offense to IP values. Asset enrichment adds correlated assets to the fetched offenses. Possible values are: IPs, IPs And Assets, None. Default is None.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery to filter offenses, e.g., "severity >= 4 AND id > 5 AND status=OPEN". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,severity,status". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--siem-offenses-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.Offense.DescriptionStringDescription of the offense.
QRadar.Offense.Rules.idNumberThe ID of the rule.
QRadar.Offense.Rules.typeStringThe type of the rule.
QRadar.Offense.Rules.nameStringThe name of the rule.
QRadar.Offense.EventCountNumberNumber of events that are associated with the offense.
QRadar.Offense.FlowCountNumberNumber of flows that are associated with the offense.
QRadar.Offense.AssignedToStringThe user to whom the offense is assigned.
QRadar.Offense.FollowupBooleanWhether the offense is marked for follow-up.
QRadar.Offense.SourceAddressNumberSource addresses (IPs if IPs enrich have been requested, else IDs of the IPs) that are associated with the offense.
QRadar.Offense.ProtectedBooleanWhether the offense is protected.
QRadar.Offense.ClosingUserStringThe user who closed the offense.
QRadar.Offense.DestinationHostnameStringDestination networks that are associated with the offense.
QRadar.Offense.CloseTimeDateTime when the offense was closed.
QRadar.Offense.RemoteDestinationCountNumberNumber of remote destinations that are associated with the offense.
QRadar.Offense.StartTimeDateDate of the earliest item that contributed to the offense.
QRadar.Offense.MagnitudeNumberMagnitude of the offense.
QRadar.Offense.LastUpdatedTimeStringDate of the most recent item that contributed to the offense.
QRadar.Offense.CredibilityNumberCredibility of the offense.
QRadar.Offense.IDNumberID of the offense.
QRadar.Offense.CategoriesStringEvent categories that are associated with the offense.
QRadar.Offense.SeverityNumberSeverity of the offense.
QRadar.Offense.ClosingReasonStringReason the offense was closed.
QRadar.Offense.OffenseTypeStringType of the offense.
QRadar.Offense.RelevanceNumberRelevance of the offense.
QRadar.Offense.OffenseSourceStringSource of the offense.
QRadar.Offense.DestinationAddressNumberDestination addresses (IPs if IPs enrichment have been requested, else IDs of the IPs) that are associated with the offense.
QRadar.Offense.StatusStringStatus of the offense. Possible values: "OPEN", "HIDDEN", "CLOSED".
QRadar.Offense.LinkToOffenseStringLink to the URL containing information about the offense.
QRadar.Offense.AssetsStringAssets correlated to the offense, if enrichment was requested.

Command example#

!qradar-offenses-list enrichment=IPs filter="status=OPEN" range=0-2

Context Example#

{
"QRadar": {
"Offense": [
{
"AssignedTo": "admin",
"Categories": [
"Information",
"Suspicious Activity",
"Process Creation Success",
"Suspicious Windows Events",
"User Login Attempt",
"Misc Login Succeeded",
"Virtual Machine Creation Attempt",
"Read Activity Attempted",
"Object Download Attempt"
],
"Credibility": 4,
"Description": "Detected A Successful Login From Different Geographies For the Same Username - AWSCloud (Exp Center)\n preceded by An AWS API Has Been Invoked From Kali - AWSCloud (Exp Center)\n preceded by Microsoft Word Launc\n preceded by Detected a Massive Creation of EC2 Instances - AWSCloud (Exp Center)\n containing Mail Server Info Message\n",
"DestinationAddress": [
"1.1.1.1",
"1.1.1.1"
],
"DestinationHostname": [
"other",
"Net-10-172-192.Net_192_168_0_0"
],
"EventCount": 35651,
"FlowCount": 0,
"Followup": true,
"ID": 14,
"LastUpdatedTime": "2023-07-26T15:31:11.839000+00:00",
"LinkToOffense": "https://ec2.eu.compute-1.amazonaws.com/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=14",
"Magnitude": 4,
"OffenseSource": "userD",
"OffenseType": "Username",
"Protected": false,
"Relevance": 0,
"RemoteDestinationCount": 1,
"Rules": [
{
"id": 102539,
"name": "EC: AWS Cloud - Detected An Email with An Attachment From a Spam Sender",
"type": "CRE_RULE"
},
{
"id": 102589,
"name": "EC: AWS Cloud - Microsoft Word Launched a Command Shell",
"type": "CRE_RULE"
},
{
"id": 102639,
"name": "EC: AWS Cloud - Detected A Successful Login From Different Geographies For the Same Username",
"type": "CRE_RULE"
},
{
"id": 102389,
"name": "EC: AWS Cloud - An AWS API Has Been Invoked From Kali",
"type": "CRE_RULE"
},
{
"id": 102439,
"name": "EC: AWS Cloud - A Database backup Has Been Downloaded From S3 Bucket",
"type": "CRE_RULE"
},
{
"id": 102489,
"name": "EC: AWS Cloud - Detected a Massive Creation of EC2 Instances",
"type": "CRE_RULE"
}
],
"Severity": 10,
"SourceAddress": [
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1"
],
"StartTime": "2023-07-26T14:31:13.387000+00:00",
"Status": "OPEN"
},
{
"Categories": [
"Mail",
"System Failure"
],
"Credibility": 2,
"Description": "Flow Source/Interface Stopped Sending Flows\n",
"DestinationAddress": [
"1.1.1.1"
],
"DestinationHostname": [
"Net-10-172-192.Net_10_0_0_0"
],
"EventCount": 2,
"FlowCount": 6026,
"Followup": true,
"ID": 13,
"LastUpdatedTime": "2023-06-12T08:49:50.145000+00:00",
"LinkToOffense": "https://ec2.eu.compute-1.amazonaws.com/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=13",
"Magnitude": 1,
"OffenseSource": "Flow Source Stopped Sending Flows",
"OffenseType": "Rule",
"Protected": true,
"Relevance": 0,
"RemoteDestinationCount": 0,
"Rules": [
{
"id": 100270,
"name": "Flow Source Stopped Sending Flows",
"type": "CRE_RULE"
}
],
"Severity": 1,
"SourceAddress": [
"1.1.1.1",
"1.1.1.1",
"1.1.1.1"
],
"StartTime": "2023-06-12T08:19:02.020000+00:00",
"Status": "OPEN"
},
{
"Categories": [
"User Activity"
],
"Credibility": 3,
"Description": "User Account Created and Used and Deleted within a short time frame (Exp Center)\n",
"DestinationAddress": [
"1.1.1.1"
],
"DestinationHostname": [
"Net-10-172-192.Net_172_16_0_0"
],
"EventCount": 8,
"FlowCount": 0,
"Followup": true,
"ID": 12,
"LastUpdatedTime": "2023-06-12T08:17:33.008000+00:00",
"LinkToOffense": "https://ec2.eu.compute-1.amazonaws.com/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=12",
"Magnitude": 2,
"OffenseSource": "badadmin",
"OffenseType": "Username",
"Protected": true,
"Relevance": 0,
"RemoteDestinationCount": 0,
"Rules": [
{
"id": 102989,
"name": "EC: User Account Created and Used and Removed",
"type": "CRE_RULE"
}
],
"Severity": 5,
"SourceAddress": [
"1.1.1.1"
],
"StartTime": "2023-06-12T08:15:54.740000+00:00",
"Status": "OPEN"
}
]
}
}

Human Readable Output#

Offenses List#

IDDescriptionOffenseTypeStatusSeverityDestinationHostnameLastUpdatedTimeCredibilityRulesSourceAddressAssignedToOffenseSourceFollowupEventCountStartTimeFlowCountDestinationAddressLinkToOffenseRemoteDestinationCountRelevanceCategoriesMagnitudeProtected
14Detected A Successful Login From Different Geographies For the Same Username - AWSCloud (Exp Center)
preceded by An AWS API Has Been Invoked From Kali - AWSCloud (Exp Center)
preceded by Microsoft Word Launc
preceded by Detected a Massive Creation of EC2 Instances - AWSCloud (Exp Center)
containing Mail Server Info Message
UsernameOPEN10other,
Net-10-172-192.Net_192_168_0_0
2023-07-26T15:31:11.839000+00:004{'id': 102539, 'type': 'CRE_RULE', 'name': 'EC: AWS Cloud - Detected An Email with An Attachment From a Spam Sender'},
{'id': 102589, 'type': 'CRE_RULE', 'name': 'EC: AWS Cloud - Microsoft Word Launched a Command Shell'},
{'id': 102639, 'type': 'CRE_RULE', 'name': 'EC: AWS Cloud - Detected A Successful Login From Different Geographies For the Same Username'},
{'id': 102389, 'type': 'CRE_RULE', 'name': 'EC: AWS Cloud - An AWS API Has Been Invoked From Kali'},
{'id': 102439, 'type': 'CRE_RULE', 'name': 'EC: AWS Cloud - A Database backup Has Been Downloaded From S3 Bucket'},
{'id': 102489, 'type': 'CRE_RULE', 'name': 'EC: AWS Cloud - Detected a Massive Creation of EC2 Instances'}
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1
adminuserDtrue356512023-07-26T14:31:13.387000+00:0001.1.1.1,
1.1.1.1
https://ec2.eu.compute-1.amazonaws.com/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=1410Information,
Suspicious Activity,
Process Creation Success,
Suspicious Windows Events,
User Login Attempt,
Misc Login Succeeded,
Virtual Machine Creation Attempt,
Read Activity Attempted,
Object Download Attempt
4false
13Flow Source/Interface Stopped Sending Flows
RuleOPEN1Net-10-172-192.Net_10_0_0_02023-06-12T08:49:50.145000+00:002{'id': 100270, 'type': 'CRE_RULE', 'name': 'Flow Source Stopped Sending Flows'}1.1.1.1,
1.1.1.1,
1.1.1.1
Flow Source Stopped Sending Flowstrue22023-06-12T08:19:02.020000+00:0060261.1.1.1https://ec2-1.eu.compute-1.amazonaws.com/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=1300Mail,
System Failure
1true
12User Account Created and Used and Deleted within a short time frame (Exp Center)
UsernameOPEN5Net-10-172-192.Net_172_16_0_02023-06-12T08:17:33.008000+00:003{'id': 102989, 'type': 'CRE_RULE', 'name': 'EC: User Account Created and Used and Removed'}1.1.1.1badadmintrue82023-06-12T08:15:54.740000+00:0001.1.1.1https://ec2-3.eu.compute-1.amazonaws.com/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=1200User Activity2true

qradar-offense-update#


Updates an offense.

Base Command#

qradar-offense-update

Input#

Argument NameDescriptionRequired
offense_idThe ID of the offense to update.Required
enrichmentIPs enrichment transforms IDs of the IPs of the offense to IP values. Asset enrichment adds correlated assets to the fetched offenses. Possible values are: IPs, IPs And Assets, None. Default is None.Optional
protectedWhether the offense should be protected. Possible values are: true, false.Optional
follow_upWhether the offense should be marked for follow-up. Possible values are: true, false.Optional
statusThe new status for the offense. When the status of an offense is set to CLOSED, a valid closing_reason_id must be provided. To hide an offense, use the HIDDEN status. To show a previously hidden offense, use the OPEN status. Possible values are: OPEN, HIDDEN, CLOSED.Optional
closing_reason_idThe ID of a closing reason. You must provide a valid closing_reason_id when you close an offense. For a full list of closing reason IDs, use the 'qradar-closing-reasons' command.Optional
closing_reason_nameThe name of a closing reason. You must provide a valid closing_reason_name when you close an offense. The default closing_reasons are: (1) False-Positive, Tuned (2) Non-Issues (3) Policy Violation.Optional
assigned_toUser to assign the offense to.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,severity,status". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--siem-offenses-offense_id-POST.html.Optional

Context Output#

PathTypeDescription
QRadar.Offense.DescriptionStringDescription of the offense.
QRadar.Offense.Rules.idNumberThe ID of the rule.
QRadar.Offense.Rules.typeStringThe type of the rule.
QRadar.Offense.Rules.nameStringThe name of the rule.
QRadar.Offense.EventCountNumberNumber of events that are associated with the offense.
QRadar.Offense.FlowCountNumberNumber of flows that are associated with the offense.
QRadar.Offense.AssignedToStringThe user to whom the offense is assigned.
QRadar.Offense.FollowupBooleanWhether the offense is marked for follow-up.
QRadar.Offense.SourceAddressNumberSource addresses (IPs if IPs enrich have been requested, else IDs of the IPs) that are associated with the offense.
QRadar.Offense.ProtectedBooleanWhether the offense is protected.
QRadar.Offense.ClosingUserStringThe user who closed the offense.
QRadar.Offense.DestinationHostnameStringDestination networks that are associated with the offense.
QRadar.Offense.CloseTimeDateTime when the offense was closed.
QRadar.Offense.RemoteDestinationCountNumberNumber of remote destinations that are associated with the offense.
QRadar.Offense.StartTimeDateDate of the earliest item that contributed to the offense.
QRadar.Offense.MagnitudeNumberMagnitude of the offense.
QRadar.Offense.LastUpdatedTimeStringDate of the most recent item that contributed to the offense.
QRadar.Offense.CredibilityNumberCredibility of the offense.
QRadar.Offense.IDNumberID of the offense.
QRadar.Offense.CategoriesStringEvent categories that are associated with the offense.
QRadar.Offense.SeverityNumberSeverity of the offense.
QRadar.Offense.ClosingReasonStringReason the offense was closed.
QRadar.Offense.OffenseTypeStringType of the offense.
QRadar.Offense.RelevanceNumberRelevance of the offense.
QRadar.Offense.OffenseSourceStringSource of the offense.
QRadar.Offense.DestinationAddressNumberDestination addresses (IPs if IPs enrichment have been requested, else IDs of the IPs) that are associated with the offense.
QRadar.Offense.StatusStringStatus of the offense. Possible values: "OPEN", "HIDDEN", "CLOSED".
QRadar.Offense.LinkToOffenseStringLink to the URL containing information about the offense.
QRadar.Offense.AssetsStringAssets correlated to the offense, if enrichment was requested.

Command example#

!qradar-offense-update offense_id=14 assigned_to=admin enrichment="IPs And Assets" follow_up=true status=OPEN protected=false

Context Example#

{
"QRadar": {
"Offense": {
"AssignedTo": "admin",
"Categories": [
"Information",
"Suspicious Activity",
"Process Creation Success",
"Suspicious Windows Events",
"User Login Attempt",
"Misc Login Succeeded",
"Virtual Machine Creation Attempt",
"Read Activity Attempted",
"Object Download Attempt"
],
"Credibility": 4,
"Description": "Detected A Successful Login From Different Geographies For the Same Username - AWSCloud (Exp Center)\n preceded by An AWS API Has Been Invoked From Kali - AWSCloud (Exp Center)\n preceded by Microsoft Word Launc\n preceded by Detected a Massive Creation of EC2 Instances - AWSCloud (Exp Center)\n containing Mail Server Info Message\n",
"DestinationAddress": [
"1.1.1.1",
"1.1.1.1"
],
"DestinationHostname": [
"other",
"Net-10-172-192.Net_192_168_0_0"
],
"EventCount": 35651,
"FlowCount": 0,
"Followup": true,
"ID": 14,
"LastUpdatedTime": "2023-07-26T15:31:11.839000+00:00",
"LinkToOffense": "https://ec2-1.eu.compute-1.amazonaws.com/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=14",
"Magnitude": 4,
"OffenseSource": "userD",
"OffenseType": "Username",
"Protected": false,
"Relevance": 0,
"RemoteDestinationCount": 1,
"Rules": [
{
"id": 102539,
"name": "EC: AWS Cloud - Detected An Email with An Attachment From a Spam Sender",
"type": "CRE_RULE"
},
{
"id": 102589,
"name": "EC: AWS Cloud - Microsoft Word Launched a Command Shell",
"type": "CRE_RULE"
},
{
"id": 102639,
"name": "EC: AWS Cloud - Detected A Successful Login From Different Geographies For the Same Username",
"type": "CRE_RULE"
},
{
"id": 102389,
"name": "EC: AWS Cloud - An AWS API Has Been Invoked From Kali",
"type": "CRE_RULE"
},
{
"id": 102439,
"name": "EC: AWS Cloud - A Database backup Has Been Downloaded From S3 Bucket",
"type": "CRE_RULE"
},
{
"id": 102489,
"name": "EC: AWS Cloud - Detected a Massive Creation of EC2 Instances",
"type": "CRE_RULE"
}
],
"Severity": 10,
"SourceAddress": [
"1.1.1.1",
"1.1.1.1",
"1.1.1.1",
"1.1.1.1"
],
"StartTime": "2023-07-26T14:31:13.387000+00:00",
"Status": "OPEN"
}
}
}

Human Readable Output#

offense Update#

IDDescriptionOffenseTypeStatusSeverityDestinationHostnameLastUpdatedTimeCredibilityRulesSourceAddressAssignedToOffenseSourceFollowupEventCountStartTimeFlowCountDestinationAddressLinkToOffenseRemoteDestinationCountRelevanceCategoriesMagnitudeProtected
14Detected A Successful Login From Different Geographies For the Same Username - AWSCloud (Exp Center)
preceded by An AWS API Has Been Invoked From Kali - AWSCloud (Exp Center)
preceded by Microsoft Word Launc
preceded by Detected a Massive Creation of EC2 Instances - AWSCloud (Exp Center)
containing Mail Server Info Message
UsernameOPEN10other,
Net-10-172-192.Net_192_168_0_0
2023-07-26T15:31:11.839000+00:004{'id': 102539, 'type': 'CRE_RULE', 'name': 'EC: AWS Cloud - Detected An Email with An Attachment From a Spam Sender'},
{'id': 102589, 'type': 'CRE_RULE', 'name': 'EC: AWS Cloud - Microsoft Word Launched a Command Shell'},
{'id': 102639, 'type': 'CRE_RULE', 'name': 'EC: AWS Cloud - Detected A Successful Login From Different Geographies For the Same Username'},
{'id': 102389, 'type': 'CRE_RULE', 'name': 'EC: AWS Cloud - An AWS API Has Been Invoked From Kali'},
{'id': 102439, 'type': 'CRE_RULE', 'name': 'EC: AWS Cloud - A Database backup Has Been Downloaded From S3 Bucket'},
{'id': 102489, 'type': 'CRE_RULE', 'name': 'EC: AWS Cloud - Detected a Massive Creation of EC2 Instances'}
1.1.1.1,
1.1.1.1,
1.1.1.1,
1.1.1.1
adminuserDtrue356512023-07-26T14:31:13.387000+00:0001.1.1.1,
1.1.1.1
https://ec2-1.eu.compute-1.amazonaws.com/console/do/sem/offensesummary?appName=Sem&pageId=OffenseSummary&summaryId=1410Information,
Suspicious Activity,
Process Creation Success,
Suspicious Windows Events,
User Login Attempt,
Misc Login Succeeded,
Virtual Machine Creation Attempt,
Read Activity Attempted,
Object Download Attempt
4false

qradar-closing-reasons#


Retrieves a list of offense closing reasons.

Base Command#

qradar-closing-reasons

Input#

Argument NameDescriptionRequired
closing_reason_idThe closing reason ID for which to retrieve its details. Specify closing_reason_id to get details about a specific closing reason.Optional
include_reservedIf true, reserved closing reasons are included in the response. Possible values are: true, false. Default is false.Optional
include_deletedIf true, deleted closing reasons are included in the response. Possible values are: true, false. Default is false.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery to filter closing reasons, e.g. "id > 5". For reference see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,text". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--siem-offense_closing_reasons-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.Offense.ClosingReasons.IsDeletedBooleanWhether the closing reason is deleted. Deleted closing reasons cannot be used to close an offense.
QRadar.Offense.ClosingReasons.IsReservedBooleanWhether the closing reason is reserved. Reserved closing reasons cannot be used to close an offense.
QRadar.Offense.ClosingReasons.NameStringName of the closing reason.
QRadar.Offense.ClosingReasons.IDNumberID of the closing reason.

Command example#

!qradar-closing-reasons include_deleted=true include_reserved=true

Context Example#

{
"QRadar": {
"Offense": {
"ClosingReasons": [
{
"ID": 2,
"IsDeleted": false,
"IsReserved": false,
"Name": "False-Positive, Tuned"
},
{
"ID": 1,
"IsDeleted": false,
"IsReserved": false,
"Name": "Non-Issue"
},
{
"ID": 3,
"IsDeleted": false,
"IsReserved": false,
"Name": "Policy Violation"
},
{
"ID": 4,
"IsDeleted": false,
"IsReserved": true,
"Name": "System Change (Upgrade, Reset, etc.)"
}
]
}
}
}

Human Readable Output#

Closing Reasons#

IDNameIsReservedIsDeleted
2False-Positive, Tunedfalsefalse
1Non-Issuefalsefalse
3Policy Violationfalsefalse
4System Change (Upgrade, Reset, etc.)truefalse

qradar-offense-notes-list#


Retrieves a list of notes for an offense.

Base Command#

qradar-offense-notes-list

Input#

Argument NameDescriptionRequired
offense_idThe offense ID to retrieve the notes for.Required
note_idThe note ID for which to retrieve its details. Specify note_id to get details about a specific note.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery to filter offense notes, e.g., "username=admin". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "username,note_text". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--siem-offenses-offense_id-notes-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.Note.TextStringThe text of the note.
QRadar.Note.CreateTimeDateCreation date of the note.
QRadar.Note.IDNumberID of the note.
QRadar.Note.CreatedByStringThe user who created the note.

Command example#

!qradar-offense-notes-list offense_id=14 filter="username='API_user: admin'" range=0-1

Context Example#

{
"QRadar": {
"Note": [
{
"CreateTime": "2023-07-27T13:58:46.428000+00:00",
"CreatedBy": "API_user: admin",
"ID": 53,
"Text": "Note Regarding The Offense"
},
{
"CreateTime": "2023-08-02T08:23:05.473000+00:00",
"CreatedBy": "API_user: admin",
"ID": 60,
"Text": "Note Regarding The Offense"
}
]
}
}

Human Readable Output#

Offense Notes List For Offense ID 14#

IDTextCreatedByCreateTime
53Note Regarding The OffenseAPI_user: admin2023-07-27T13:58:46.428000+00:00
60Note Regarding The OffenseAPI_user: admin2023-08-02T08:23:05.473000+00:00

qradar-offense-note-create#


Creates a note on an offense.

Base Command#

qradar-offense-note-create

Input#

Argument NameDescriptionRequired
offense_idThe offense ID to add the note to.Required
note_textThe text of the note.Required
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "username,note_text". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--siem-offenses-offense_id-notes-POST.html.Optional

Context Output#

PathTypeDescription
QRadar.Note.TextStringThe text of the note.
QRadar.Note.CreateTimeDateCreation date of the note.
QRadar.Note.IDNumberID of the note.
QRadar.Note.CreatedByStringThe user who created the note.

Command example#

!qradar-offense-note-create note_text="Note Regarding The Offense" offense_id=14

Context Example#

{
"QRadar": {
"Note": {
"CreateTime": "2023-08-02T08:39:15.813000+00:00",
"CreatedBy": "API_user: admin",
"ID": 65,
"Text": "Note Regarding The Offense"
}
}
}

Human Readable Output#

Create Note#

IDTextCreatedByCreateTime
65Note Regarding The OffenseAPI_user: admin2023-08-02T08:39:15.813000+00:00

qradar-rules-list#


Retrieves a list of rules.

Base Command#

qradar-rules-list

Input#

Argument NameDescriptionRequired
rule_idThe rule ID for which to retrieve its details. Specify rule_id to get details about a specific rule.Optional
rule_typeRetrieves rules corresponding to the specified rule type. Possible values are: EVENT, FLOW, COMMON, USER.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter rules, e.g., "type=EVENT". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "owner,identifier,origin". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--analytics-rules-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.Rule.OwnerStringOwner of the rule.
QRadar.Rule.BaseHostIDNumberID of the host from which the rule's base capacity was determined.
QRadar.Rule.CapacityTimestampNumberDate when the rule's capacity values were last updated.
QRadar.Rule.OriginStringOrigin of the rule. Possible values: "SYSTEM", "OVERRIDE", "USER".
QRadar.Rule.CreationDateDateDate when rule was created.
QRadar.Rule.TypeStringType of the rule. Possible values: "EVENT", "FLOW", "COMMON", "USER".
QRadar.Rule.EnabledBooleanWhether rule is enabled.
QRadar.Rule.ModificationDateDateDate when the rule was last modified.
QRadar.Rule.NameStringName of the rule.
QRadar.Rule.AverageCapacityNumberMoving average capacity in EPS of the rule across all hosts.
QRadar.Rule.IDNumberID of the rule.
QRadar.Rule.BaseCapacityNumberBase capacity of the rule in events per second.

Command example#

!qradar-rules-list rule_type=COMMON range=0-2

Context Example#

{
"QRadar": {
"Rule": [
{
"AverageCapacity": 0,
"BaseCapacity": 0,
"BaseHostID": 0,
"CapacityTimestamp": 0,
"CreationDate": "2007-10-14T20:12:00.374000+00:00",
"Enabled": true,
"ID": 100068,
"ModificationDate": "2022-11-21T18:44:32.696000+00:00",
"Name": "Login Successful After Scan Attempt",
"Origin": "SYSTEM",
"Owner": "admin",
"Type": "COMMON"
},
{
"AverageCapacity": 0,
"BaseCapacity": 0,
"BaseHostID": 0,
"CapacityTimestamp": 0,
"CreationDate": "2006-03-27T10:54:12.077000+00:00",
"Enabled": false,
"ID": 100102,
"ModificationDate": "2023-02-23T14:12:52.067000+00:00",
"Name": "Potential Botnet Connection (DNS)",
"Origin": "SYSTEM",
"Owner": "admin",
"Type": "COMMON"
},
{
"AverageCapacity": 0,
"BaseCapacity": 0,
"BaseHostID": 0,
"CapacityTimestamp": 0,
"CreationDate": "2005-12-22T00:54:48.708000+00:00",
"Enabled": true,
"ID": 100109,
"ModificationDate": "2023-02-23T14:12:49.992000+00:00",
"Name": "Host Port Scan Detected by Remote Host",
"Origin": "SYSTEM",
"Owner": "admin",
"Type": "COMMON"
}
]
}
}

Human Readable Output#

Rules List#

IDNameTypeEnabledBaseHostIDOriginModificationDateCreationDateBaseCapacityAverageCapacityOwnerCapacityTimestamp
100068Login Successful After Scan AttemptCOMMONtrue0SYSTEM2022-11-21T18:44:32.696000+00:002007-10-14T20:12:00.374000+00:0000admin0
100102Potential Botnet Connection (DNS)COMMONfalse0SYSTEM2023-02-23T14:12:52.067000+00:002006-03-27T10:54:12.077000+00:0000admin0
100109Host Port Scan Detected by Remote HostCOMMONtrue0SYSTEM2023-02-23T14:12:49.992000+00:002005-12-22T00:54:48.708000+00:0000admin0

qradar-rule-groups-list#


Retrieves a list of the rule groups.

Base Command#

qradar-rule-groups-list

Input#

Argument NameDescriptionRequired
rule_group_idThe rule group ID for which to retrieve its details. Specify rule_group_id to get details about a specific rule group.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter rules, e.g., "id >= 125". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "owner,parent_id". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--analytics-rule_groups-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.RuleGroup.OwnerStringOwner of the group.
QRadar.RuleGroup.ModifiedTimeDateDate since the group was last modified.
QRadar.RuleGroup.LevelNumberDepth of the group in the group hierarchy.
QRadar.RuleGroup.NameStringName of the group.
QRadar.RuleGroup.DescriptionStringDescription of the group.
QRadar.RuleGroup.IDNumberID of the group.
QRadar.RuleGroup.ChildItemsStringChild items of the group.
QRadar.RuleGroup.ChildGroupsNumberChild group IDs.
QRadar.RuleGroup.TypeStringThe type of the group.
QRadar.RuleGroup.ParentIDNumberID of the parent group.

Command example#

!qradar-rule-groups-list range=0-2

Context Example#

{
"QRadar": {
"RuleGroup": [
{
"ChildItems": [
"100045",
"100046",
"100047",
"100048",
"100049",
"100050",
"100051",
"100052",
"100053",
"100054",
"100055",
"100056",
"1607",
"1608",
"1609",
"1610",
"1611",
"1612",
"1613",
"1614",
"1615",
"1616",
"1617",
"1618"
],
"Description": "Rules focused on detection of suspicious asset reconciliation behavior.",
"ID": 125,
"Level": 2,
"ModifiedTime": "2014-01-06T15:23:26.060000+00:00",
"Name": "Asset Reconciliation Exclusion",
"Owner": "admin",
"ParentID": 3,
"Type": "RULE_GROUP"
},
{
"ChildItems": [
"100057",
"100059"
],
"Description": "Rules that indicate post-intrusion access activity",
"ID": 100020,
"Level": 2,
"ModifiedTime": "2015-07-08T20:14:12.250000+00:00",
"Name": "Horizontal Movement",
"Owner": "admin",
"ParentID": 3,
"Type": "RULE_GROUP"
},
{
"ChildItems": [
"100001",
"100003",
"100044",
"100323",
"1219",
"1265",
"1335",
"1410",
"1411",
"1412",
"1431",
"1443",
"1460",
"1461",
"1471",
"1481",
"1509",
"1552",
"1566"
],
"Description": "Rules based on log source and event anomalies such as high event rates or excessive connections.",
"ID": 101,
"Level": 1,
"ModifiedTime": "2010-08-21T11:48:27.850000+00:00",
"Name": "Anomaly",
"Owner": "admin",
"ParentID": 3,
"Type": "RULE_GROUP"
}
]
}
}

Human Readable Output#

Rules Group List#

IDNameDescriptionOwnerModifiedTimeParentIDTypeChildItemsLevel
125Asset Reconciliation ExclusionRules focused on detection of suspicious asset reconciliation behavior.admin2014-01-06T15:23:26.060000+00:003RULE_GROUP100045,
100046,
100047,
100048,
100049,
100050,
100051,
100052,
100053,
100054,
100055,
100056,
1607,
1608,
1609,
1610,
1611,
1612,
1613,
1614,
1615,
1616,
1617,
1618
2
100020Horizontal MovementRules that indicate post-intrusion access activityadmin2015-07-08T20:14:12.250000+00:003RULE_GROUP100057,
100059
2
101AnomalyRules based on log source and event anomalies such as high event rates or excessive connections.admin2010-08-21T11:48:27.850000+00:003RULE_GROUP100001,
100003,
100044,
100323,
1219,
1265,
1335,
1410,
1411,
1412,
1431,
1443,
1460,
1461,
1471,
1481,
1509,
1552,
1566
1

qradar-assets-list#


Retrieves assets list.

Base Command#

qradar-assets-list

Input#

Argument NameDescriptionRequired
asset_idThe asset ID for which to retrieve its details. Specify asset_id to get details about a specific asset.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter assets, e.g., "domain_id=0". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,interfaces,users,properties". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--asset_model-assets-GET.html.Optional

Context Output#

PathTypeDescription
Endpoint.DomainStringDNS name.
Endpoint.OSStringAsset operating system.
Endpoint.MACAddressStringAsset MAC address.
Endpoint.IPAddressUnknownIP addresses of the endpoint.
QRadar.Asset.Interfaces.idNumberID of the interface.
QRadar.Asset.Interfaces.mac_addressStringMAC address of the interface. Null if unknown.
QRadar.Asset.Interfaces.ip_addresses.idNumberID of the interface.
QRadar.Asset.Interfaces.ip_addresses.network_idNumberNetwork ID of the network the IP belongs to.
QRadar.Asset.Interfaces.ip_addresses.valueStringThe IP address.
QRadar.Asset.Interfaces.ip_addresses.typeStringType of IP address. Possible values: "IPV4", "IPV6".
QRadar.Asset.Interfaces.ip_addresses.createdDateDate when the IP address was created.
QRadar.Asset.Interfaces.ip_addresses.first_seen_scannerDateDate when the IP address was first seen during a vulnerability scan.
QRadar.Asset.Interfaces.ip_addresses.first_seen_profilerDateDate when the IP address was first seen in event or flow traffic.
QRadar.Asset.Interfaces.ip_addresses.last_seen_scannerDateDate when the IP address was most recently seen during a vulnerability scan.
QRadar.Asset.Interfaces.ip_addresses.last_seen_profilerDateDate when the IP address was most recently seen in event or flow traffic.
QRadar.Asset.Products.idNumberThe ID of this software product instance in QRadar's asset model.
QRadar.Asset.Products.product_variant_idNumberThe ID of this software product variant in QRadar's catalog of products.
QRadar.Asset.Products.first_seen_scannerDateDate when the product was first seen during a vulnerability scan.
QRadar.Asset.Products.first_seen_profilerDateDate when the product was first seen in event or flow traffic.
QRadar.Asset.Products.last_seen_scannerDateDate when the product was most recently seen seen during a vulnerability scan.
QRadar.Asset.Products.last_seen_profilerDateDate when the product was most recently seen in event or flow traffic.
QRadar.Asset.VulnerabilityCountNumberThe total number of vulnerabilities associated with this asset.
QRadar.Asset.RiskScoreSumNumberThe sum of the CVSS scores of the vulnerabilities on this asset.
QRadar.Asset.Hostnames.last_seen_profilerDateDate when the host was most recently seen in event or flow traffic.
QRadar.Asset.Hostnames.createdDateDate when the host was created.
QRadar.Asset.Hostnames.last_seen_scannerDateDate when the host was most recently seen during a vulnerability scan.
QRadar.Asset.Hostnames.nameStringName of the host.
QRadar.Asset.Hostnames.first_seen_scannerDateDate when the host was first seen during a vulnerability scan.
QRadar.Asset.Hostnames.idNumberID of the host.
QRadar.Asset.Hostnames.typeStringType of the host. Possible values: "DNS", "NETBIOS", "NETBIOSGROUP".
QRadar.Asset.Hostnames.first_seen_profilerDateDate when the host was first seen in event or flow traffic.
QRadar.Asset.IDNumberID of the asset.
QRadar.Asset.Users.last_seen_profilerDateDate when the user was most recently seen in event or flow traffic.
QRadar.Asset.Users.last_seen_scannerDateDate when the user was most recently seen during a vulnerability scan.
QRadar.Asset.Users.first_seen_scannerDateDate when the user was first seen during a vulnerability scan.
QRadar.Asset.Users.idNumberID of the user.
QRadar.Asset.Users.first_seen_profilerDateDate when the user was first seen in event or flow traffic.
QRadar.Asset.Users.usernameStringName of the user.
QRadar.Asset.DomainIDNumberID of the domain this asset belongs to.
QRadar.Asset.Properties.last_reportedDateDate when the property was last updated.
QRadar.Asset.Properties.nameStringName of the property.
QRadar.Asset.Properties.type_idNumberType ID of the property.
QRadar.Asset.Properties.idNumberID of the property.
QRadar.Asset.Properties.last_reported_byStringThe source of the most recent update to this property.
QRadar.Asset.Properties.valueStringProperty value.

Command example#

!qradar-assets-list filter="id<1100" range=0-2

Context Example#

{
"Endpoint": [
{
"IPAddress": [
"1.1.1.1"
]
}
],
"QRadar": {
"Asset": {
"DomainID": 0,
"ID": 1003,
"Interfaces": [
{
"created": "2023-07-26T14:32:01.789000+00:00",
"id": 1003,
"ip_addresses": [
{
"created": "2023-07-26T14:32:01.789000+00:00",
"id": 1003,
"network_id": 2,
"type": "IPV4",
"value": "1.1.1.1"
}
]
}
],
"Properties": [
{
"id": 1020,
"last_reported": "2023-07-26T14:32:01.802000+00:00",
"last_reported_by": "USER:admin",
"name": "Unified Name",
"type_id": 1002,
"value": "1.1.1.1"
}
],
"RiskScoreSum": 0,
"VulnerabilityCount": 0
}
}
}

Human Readable Output#

Assets List#

DomainIDIDInterfacesPropertiesRiskScoreSumVulnerabilityCount
01003{'created': '2023-07-26T14:32:01.789000+00:00', 'ip_addresses': [{'created': '2023-07-26T14:32:01.789000+00:00', 'network_id': 2, 'id': 1003, 'type': 'IPV4', 'value': '1.1.1.1'}], 'id': 1003}{'last_reported': '2023-07-26T14:32:01.802000+00:00', 'name': 'Unified Name', 'type_id': 1002, 'id': 1020, 'last_reported_by': 'USER:admin', 'value': '1.1.1.1'}0.00

Endpoints#

IPAddress
1.1.1.1

qradar-saved-searches-list#


Retrieves a list of Ariel saved searches.

Base Command#

qradar-saved-searches-list

Input#

Argument NameDescriptionRequired
saved_search_idThe saved search ID for which to retrieve its details. Specify saved_search_id to get details about a specific saved search.Optional
timeoutNumber of seconds until timeout for the specified command. Default is 35.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter saved searches, e.g., "database=EVENTS and is_dashboard=true". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,owner,description". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--ariel-saved_searches-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.SavedSearch.OwnerStringOwner of the saved search.
QRadar.SavedSearch.DescriptionStringDescription of the saved search.
QRadar.SavedSearch.CreationDateDateDate when saved search was created.
QRadar.SavedSearch.UIDStringUID of the saved search.
QRadar.SavedSearch.DatabaseStringThe database of the Ariel saved search, events, or flows.
QRadar.SavedSearch.QuickSearchBooleanWhether the saved search is a quick search.
QRadar.SavedSearch.NameStringName of the saved search.
QRadar.SavedSearch.ModifiedDateDateDate when the saved search was most recently modified.
QRadar.SavedSearch.IDNumberID of the saved search.
QRadar.SavedSearch.AQLStringThe AQL query.
QRadar.SavedSearch.IsSharedBooleanWhether the saved search is shared with other users.

Command example#

!qradar-saved-searches-list range=0-1

Context Example#

{
"QRadar": {
"SavedSearch": [
{
"AQL": "select QIDNAME(qid) as 'Event Name',logsourcename(logSourceId) as 'Log Source',\"eventCount\" as 'Event Count',\"startTime\" as 'Time',categoryname(category) as 'Low Level Category',\"sourceIP\" as 'Source IP',\"sourcePort\" as 'Source Port',\"destinationIP\" as 'Destination IP',\"destinationPort\" as 'Destination Port',\"userName\" as 'Username',\"magnitude\" as 'Magnitude' from events where \"Experience Center\" ilike '%AWSCloud%' order by \"startTime\" desc LIMIT 1000 start '2023-08-02 08:34' stop '2023-08-02 08:39'",
"CreationDate": "2019-04-02T17:39:08.493000+00:00",
"Database": "EVENTS",
"Description": "",
"ID": 2817,
"IsShared": false,
"ModifiedDate": "2023-02-23T14:12:52.611000+00:00",
"Name": "EC: AWS Cloud Attack Events",
"Owner": "admin",
"QuickSearch": false,
"UID": "0144c7d8-a3fe-47c1-b16b-12721a34077e"
},
{
"AQL": "select * from flows where destinationport = '445' and (FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%70 00 73 00 65 00 78 00 65 00 63 00 73 00 76 00 63 00%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%73 00 76 00 63 00 63 00 74 00 6c 00%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%5c 00 61 00 64 00 6d 00 69 00 6e 00 24 00%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%ff 53 4d 42 72 00 00 00 00 18 07 c0%') last 24 HOURS",
"CreationDate": "2017-07-02T18:11:44.984000+00:00",
"Database": "FLOWS",
"Description": "",
"ID": 2835,
"IsShared": true,
"ModifiedDate": "2023-03-05T13:34:00.352000+00:00",
"Name": "Potential Ransomware (Suspicious activity, Possible Petya, NotPetya)",
"Owner": "admin",
"QuickSearch": false,
"UID": "0791701a-80e3-4a1c-b11f-7bc943b96bf6"
}
]
}
}

Human Readable Output#

Saved Searches List#

IDNameIsSharedAQLUIDQuickSearchModifiedDateCreationDateDatabaseOwner
2817EC: AWS Cloud Attack Eventsfalseselect QIDNAME(qid) as 'Event Name',logsourcename(logSourceId) as 'Log Source',"eventCount" as 'Event Count',"startTime" as 'Time',categoryname(category) as 'Low Level Category',"sourceIP" as 'Source IP',"sourcePort" as 'Source Port',"destinationIP" as 'Destination IP',"destinationPort" as 'Destination Port',"userName" as 'Username',"magnitude" as 'Magnitude' from events where "Experience Center" ilike '%AWSCloud%' order by "startTime" desc LIMIT 1000 start '2023-08-02 08:34' stop '2023-08-02 08:39'0144c7d8-a3fe-47c1-b16b-12721a34077efalse2023-02-23T14:12:52.611000+00:002019-04-02T17:39:08.493000+00:00EVENTSadmin
2835Potential Ransomware (Suspicious activity, Possible Petya, NotPetya)trueselect * from flows where destinationport = '445' and (FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%70 00 73 00 65 00 78 00 65 00 63 00 73 00 76 00 63 00%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%50 00 53 00 45 00 58 00 45 00 53 00 56 00 43 00 2e 00 45 00 58 00 45%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%73 00 76 00 63 00 63 00 74 00 6c 00%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%5c 00 61 00 64 00 6d 00 69 00 6e 00 24 00%' OR FORMAT::PAYLOAD_TO_HEX(sourcepayload) like '%ff 53 4d 42 72 00 00 00 00 18 07 c0%') last 24 HOURS0791701a-80e3-4a1c-b11f-7bc943b96bf6false2023-03-05T13:34:00.352000+00:002017-07-02T18:11:44.984000+00:00FLOWSadmin

qradar-searches-list#


Retrieves the list of Ariel searches IDs. Search status and results can be polled by sending the search ID to the 'qradar-search-status-get' and 'qradar-search-results-get' commands.

Base Command#

qradar-searches-list

Input#

Argument NameDescriptionRequired
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional

Context Output#

PathTypeDescription
QRadar.SearchID.SearchIDStringID of the search.

Command example#

!qradar-searches-list

Context Example#

{
"QRadar": {
"SearchID": [
{
"SearchID": "111e7107-48da-4645-8c2c-a8285d113eac"
},
{
"SearchID": "4ad8f58f-d63b-4555-9d5e-62529e6ac089"
},
{
"SearchID": "909075e0-b450-400c-b641-dd04e46b65bf"
},
{
"SearchID": "f6387ac3-342a-41e7-bcd4-14fe5525dc5c"
},
{
"SearchID": "e15caa93-a01f-49f4-b6be-5c666b0e08c7"
},
{
"SearchID": "36ad7331-149d-4419-947d-ff0d3dd23cf1"
},
{
"SearchID": "a893fc4f-f405-4cb2-a6c3-698dfad6045d"
},
{
"SearchID": "47f40fcd-b7fd-48d7-abbc-05fb447acee2"
},
{
"SearchID": "8967788b-f746-4e5b-9174-c145196eddb1"
},
{
"SearchID": "1d743e24-a524-417f-9747-c967e0328b48"
},
{
"SearchID": "be14bcb5-363e-4547-9b7f-923578a16ae6"
},
{
"SearchID": "a4f4d846-9057-41ae-b558-0dd47134a72a"
},
{
"SearchID": "2c98e5f6-4988-4fe3-bbac-43acbbfaaea2"
},
{
"SearchID": "7e4bd0cf-b04e-446f-ba94-16e1811740e9"
},
{
"SearchID": "76e9ed8a-4f59-42ad-8135-9b1781568935"
},
{
"SearchID": "04e953e2-153a-488b-9a53-8701d16431c4"
},
{
"SearchID": "cd44255c-0496-4663-a6ac-9662ad4a13ef"
},
{
"SearchID": "92e5d6ec-1c60-4c7b-ad97-7610c1e7ed90"
},
{
"SearchID": "8ded0056-8853-443f-9f99-3fff30c08cd6"
},
{
"SearchID": "5ced0d93-4237-461a-ba12-6513d5674fb0"
},
{
"SearchID": "1de985b2-2d45-4d0e-ac86-d25c5b7d8803"
},
{
"SearchID": "b19000dd-1eda-4b85-a45e-334478f0755f"
},
{
"SearchID": "ae52c4d7-689f-4274-8f74-6de74bd3652c"
},
{
"SearchID": "70fe39d6-4e8e-4c48-8207-12d5930544f4"
},
{
"SearchID": "011e1de5-c985-462a-8252-e291acaed012"
},
{
"SearchID": "174d5a7c-b004-4b9c-96fb-868c043daa3c"
},
{
"SearchID": "12b576a1-410e-4c46-bd95-61b2bebb4ceb"
},
{
"SearchID": "8f1b645a-6f81-43fc-86f3-23c2213359b6"
},
{
"SearchID": "12463d5a-4d2c-4c5b-9640-88e4cdee245c"
},
{
"SearchID": "e1d2697f-4c40-46d0-b8b3-90a51e732814"
},
{
"SearchID": "e9dea979-039c-409a-8a60-fe1fe44fa3c2"
},
{
"SearchID": "66ca4a44-a3ac-482b-9d7a-300d621eb8a9"
},
{
"SearchID": "a42ef950-fd27-42c9-af3d-8d466bf73d5d"
},
{
"SearchID": "73ee61f0-c480-4145-a00b-d8c3a55de791"
},
{
"SearchID": "e73b8002-b47d-4fb3-9dae-34a99dd21943"
},
{
"SearchID": "5b812a3b-624d-4cf7-a2ed-f2d1f469b0a4"
},
{
"SearchID": "4f6e37db-8c4f-4e2f-9b27-b8ae68d0c38b"
},
{
"SearchID": "df9cf783-d706-46ed-8be7-680a0830d3eb"
},
{
"SearchID": "d2aa7f7c-dbf4-405f-9652-b6bb776164f0"
},
{
"SearchID": "de72022b-8070-4151-a826-16eb913db2cd"
},
{
"SearchID": "32501bb7-22b8-4d79-aa7b-0b565c4bd806"
},
{
"SearchID": "f89f3515-6d27-4616-a1bb-7dc008aa1562"
},
{
"SearchID": "1ba37caf-c969-43fa-b037-6c164535b512"
},
{
"SearchID": "78b709c4-8037-43dc-8bf0-dfd94629674f"
},
{
"SearchID": "88096e2b-4feb-4071-807e-96e3dfc080ff"
},
{
"SearchID": "1a7576fc-2cc1-41c6-85b6-3728d4d44f3d"
},
{
"SearchID": "b4414e3b-b5ec-4cc8-9db2-35a7a2057e46"
},
{
"SearchID": "c6a82de6-cfef-444e-9b0f-b124b5599b7b"
},
{
"SearchID": "185971cc-ebbb-453d-b826-bffc59836be1"
},
{
"SearchID": "2a45ec38-d060-4aae-9a9c-730f49966fdc"
}
]
}
}

Human Readable Output#

Search ID List#

SearchID
111e7107-48da-4645-8c2c-a8285d113eac
4ad8f58f-d63b-4555-9d5e-62529e6ac089
909075e0-b450-400c-b641-dd04e46b65bf
f6387ac3-342a-41e7-bcd4-14fe5525dc5c
e15caa93-a01f-49f4-b6be-5c666b0e08c7
36ad7331-149d-4419-947d-ff0d3dd23cf1
a893fc4f-f405-4cb2-a6c3-698dfad6045d
47f40fcd-b7fd-48d7-abbc-05fb447acee2
8967788b-f746-4e5b-9174-c145196eddb1
1d743e24-a524-417f-9747-c967e0328b48
be14bcb5-363e-4547-9b7f-923578a16ae6
a4f4d846-9057-41ae-b558-0dd47134a72a
2c98e5f6-4988-4fe3-bbac-43acbbfaaea2
7e4bd0cf-b04e-446f-ba94-16e1811740e9
76e9ed8a-4f59-42ad-8135-9b1781568935
04e953e2-153a-488b-9a53-8701d16431c4
cd44255c-0496-4663-a6ac-9662ad4a13ef
92e5d6ec-1c60-4c7b-ad97-7610c1e7ed90
8ded0056-8853-443f-9f99-3fff30c08cd6
5ced0d93-4237-461a-ba12-6513d5674fb0
1de985b2-2d45-4d0e-ac86-d25c5b7d8803
b19000dd-1eda-4b85-a45e-334478f0755f
ae52c4d7-689f-4274-8f74-6de74bd3652c
70fe39d6-4e8e-4c48-8207-12d5930544f4
011e1de5-c985-462a-8252-e291acaed012
174d5a7c-b004-4b9c-96fb-868c043daa3c
12b576a1-410e-4c46-bd95-61b2bebb4ceb
8f1b645a-6f81-43fc-86f3-23c2213359b6
12463d5a-4d2c-4c5b-9640-88e4cdee245c
e1d2697f-4c40-46d0-b8b3-90a51e732814
e9dea979-039c-409a-8a60-fe1fe44fa3c2
66ca4a44-a3ac-482b-9d7a-300d621eb8a9
a42ef950-fd27-42c9-af3d-8d466bf73d5d
73ee61f0-c480-4145-a00b-d8c3a55de791
e73b8002-b47d-4fb3-9dae-34a99dd21943
5b812a3b-624d-4cf7-a2ed-f2d1f469b0a4
4f6e37db-8c4f-4e2f-9b27-b8ae68d0c38b
df9cf783-d706-46ed-8be7-680a0830d3eb
d2aa7f7c-dbf4-405f-9652-b6bb776164f0
de72022b-8070-4151-a826-16eb913db2cd
32501bb7-22b8-4d79-aa7b-0b565c4bd806
f89f3515-6d27-4616-a1bb-7dc008aa1562
1ba37caf-c969-43fa-b037-6c164535b512
78b709c4-8037-43dc-8bf0-dfd94629674f
88096e2b-4feb-4071-807e-96e3dfc080ff
1a7576fc-2cc1-41c6-85b6-3728d4d44f3d
b4414e3b-b5ec-4cc8-9db2-35a7a2057e46
c6a82de6-cfef-444e-9b0f-b124b5599b7b
185971cc-ebbb-453d-b826-bffc59836be1
2a45ec38-d060-4aae-9a9c-730f49966fdc

qradar-search-create#


Creates a new asynchronous Ariel search. Returns the search ID. Search status and results can be polled by sending the search ID to the 'qradar-search-status-get' and 'qradar-search-results-get' commands. Accepts SELECT query expressions only.

Base Command#

qradar-search-create

Input#

Argument NameDescriptionRequired
offense_idThe ID of the offense to retrieve. Mutually exclusive with query_expression and saved_search_id.Optional
events_limitThe number of events to return. Mutually exclusive with query_expression and saved_search_id.Optional
events_columnsComma separated list of columns to return. Mutually exclusive with query_expression and saved_search_id.Optional
fetch_modeThe mode to use when fetching events. Mutually exclusive with query_expression and saved_search_id. Possible values are: Fetch With All Events, Fetch Correlation Events Only.Optional
start_timeThe start time of the search.Optional
query_expressionThe AQL query to execute. Mutually exclusive with all other arguments.Optional
saved_search_idSaved search ID to execute. Mutually exclusive with all other arguments. Saved search ID is the 'id' field returned by the 'qradar-saved-searches-list' command.Optional

Context Output#

PathTypeDescription
QRadar.Search.StatusStringStatus of the newly created search.
QRadar.Search.IDStringID of the newly created search.

Command example#

!qradar-search-create query_expression="""SELECT "destinationPort" AS 'Destination Port', UniqueCount("sourceIP") AS 'Source IP (Unique Count)', UniqueCount("destinationIP") AS 'Destination IP (Unique Count)', UniqueCount(qid) AS 'Event Name (Unique Count)', UniqueCount(logSourceId) AS 'Log Source (Unique Count)', UniqueCount(category) AS 'Low Level Category (Unique Count)', UniqueCount("protocolId") AS 'Protocol (Unique Count)', UniqueCount("userName") AS 'Username (Unique Count)', MAX("magnitude") AS 'Magnitude (Maximum)', SUM("eventCount") AS 'Event Count (Sum)', COUNT(*) AS 'Count' from events where ( ("creEventList"='100120') or ("creEventList"='100122') or ("creEventList"='100135') AND "eventDirection"='R2L' ) GROUP BY "destinationPort" order by "Event Count (Sum)" desc last 6 hours"""

Context Example#

{
"QRadar": {
"Search": {
"ID": "68d4e4e6-f512-4171-b130-d671334cb47d",
"Status": "WAIT"
}
}
}

Human Readable Output#

Create Search#

IDStatus
68d4e4e6-f512-4171-b130-d671334cb47dWAIT

qradar-search-status-get#


Retrieves status information for a search, based on the search ID.

Base Command#

qradar-search-status-get

Input#

Argument NameDescriptionRequired
search_idThe identifier for an Ariel search.Required

Context Output#

PathTypeDescription
QRadar.Search.StatusStringStatus of the search.
QRadar.Search.IDStringID of the search.

qradar-search-results-get#


Retrieves search results.

Base Command#

qradar-search-results-get

Input#

Argument NameDescriptionRequired
search_idThe identifier for an Ariel search.Required
output_pathReplaces the default context output path for the query result (QRadar.Search.Result). E.g., for output_path=QRadar.Correlations, the result will be under the 'QRadar.Correlations' key in the context data.Optional
rangeRange of events to return. (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional

Context Output#

PathTypeDescription
QRadar.Search.ResultUnknownThe result of the search.

qradar-reference-sets-list#


Retrieves a list of reference sets.

Base Command#

qradar-reference-sets-list

Input#

Argument NameDescriptionRequired
ref_nameThe reference name of the reference set for which to retrieve its details. Specify ref_name to get details about a specific reference set.Optional
date_valueIf set to true will try to convert the data values to ISO-8601 string. Possible values are: True, False. Default is False.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter reference sets, e.g., "timeout_type=FIRST_SEEN". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "name,timeout_type". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--reference_data-sets-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.Reference.TimeoutTypeStringTimeout type of the reference set. Possible values: "UNKNOWN", "FIRST_SEEN", "LAST_SEEN".
QRadar.Reference.NumberOfElementsNumberNumber of elements in the reference set.
QRadar.Reference.TimeToLiveStringTime left to live for the reference.
QRadar.Reference.Data.LastSeenDateDate when this data was last seen.
QRadar.Reference.Data.FirstSeenDateDate when this data was first seen.
QRadar.Reference.Data.SourceStringSource of this data.
QRadar.Reference.Data.ValueStringData value.
QRadar.Reference.CreationTimeDateDate when the reference set was created.
QRadar.Reference.NameStringName of the reference set.
QRadar.Reference.ElementTypeStringType of the elements in the reference set.

Command example#

!qradar-reference-sets-list filter="timeout_type=FIRST_SEEN" range=0-2

Context Example#

{
"QRadar": {
"Reference": [
{
"CreationTime": "2015-08-27T17:15:40.583000+00:00",
"ElementType": "IP",
"Name": "Critical Assets",
"NumberOfElements": 0,
"TimeoutType": "FIRST_SEEN"
},
{
"CreationTime": "2017-10-25T16:31:15.992000+00:00",
"ElementType": "ALNIC",
"Name": "BadRabbit_FileHash",
"NumberOfElements": 6,
"TimeoutType": "FIRST_SEEN"
},
{
"CreationTime": "2022-10-03T10:38:51.140000+00:00",
"ElementType": "IP",
"Name": "Windows RCE IPs",
"NumberOfElements": 19,
"TimeoutType": "FIRST_SEEN"
}
]
}
}

Human Readable Output#

Reference Sets List#

NameElementTypeTimeoutTypeCreationTimeNumberOfElements
Critical AssetsIPFIRST_SEEN2015-08-27T17:15:40.583000+00:000
BadRabbit_FileHashALNICFIRST_SEEN2017-10-25T16:31:15.992000+00:006
Windows RCE IPsIPFIRST_SEEN2022-10-03T10:38:51.140000+00:0019

qradar-reference-set-create#


Creates a new reference set.

Base Command#

qradar-reference-set-create

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set to be created. Reference names can be found by 'Name' field in 'qradar-reference-sets-list' command.Required
element_typeThe element type for the values allowed in the reference set. Possible values are: ALN, ALNIC, NUM, IP, PORT, DATE.Required
timeout_typeIndicates if the time_to_live interval is based on when the data was first seen or last seen. Possible values are: FIRST_SEEN, LAST_SEEN, UNKNOWN. Default is UNKNOWN.Optional
time_to_liveThe time to live interval, time range. for example: '1 month' or '5 minutes'.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "name,timeout_type". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--reference_data-sets-POST.html.Optional

Context Output#

PathTypeDescription
QRadar.Reference.TimeoutTypeStringTimeout type of the reference set. Possible values: "UNKNOWN", "FIRST_SEEN", "LAST_SEEN".
QRadar.Reference.NumberOfElementsNumberNumber of elements in the reference set.
QRadar.Reference.TimeToLiveStringTime left to live for the reference.
QRadar.Reference.Data.LastSeenDateDate when this data was last seen.
QRadar.Reference.Data.FirstSeenDateDate when this data was first seen.
QRadar.Reference.Data.SourceStringSource of this data.
QRadar.Reference.Data.ValueStringData value.
QRadar.Reference.CreationTimeDateDate when the reference set was created.
QRadar.Reference.NameStringName of the reference set.
QRadar.Reference.ElementTypeStringType of the elements in the reference set.

Command example#

!qradar-reference-set-create element_type=IP ref_name="Malicious IPs" time_to_live="1 year" timeout_type=FIRST_SEEN

Context Example#

{
"QRadar": {
"Reference": {
"CreationTime": "2023-08-02T08:39:30.887000+00:00",
"ElementType": "IP",
"Name": "Malicious IPs",
"NumberOfElements": 0,
"TimeToLive": "1 years 0 mons 0 days 0 hours 0 mins 0.0 secs",
"TimeoutType": "FIRST_SEEN"
}
}
}

Human Readable Output#

Reference Set Create#

NameElementTypeTimeToLiveTimeoutTypeCreationTimeNumberOfElements
Malicious IPsIP1 years 0 mons 0 days 0 hours 0 mins 0.0 secsFIRST_SEEN2023-08-02T08:39:30.887000+00:000

qradar-reference-set-delete#


Removes a reference set or purges its contents.

Base Command#

qradar-reference-set-delete

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set to be deleted. Reference names can be found by 'Name' field in 'qradar-reference-sets-list' command.Required
purge_onlyIndicates if the reference set should have its contents purged (true), keeping the reference set structure. If the value is 'false', or not specified the reference set is removed completely. Possible values are: true, false. Default is false.Optional

Context Output#

There is no context output for this command.

Command example#

!qradar-reference-set-delete ref_name="Malicious IPs"

Human Readable Output#

Request to delete reference Malicious IPs was submitted. Current deletion status: QUEUED

qradar-reference-set-value-upsert#


Adds or updates an element in a reference set.

Base Command#

qradar-reference-set-value-upsert

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set to add or update an element in. Reference names can be found by the 'Name' field in the 'qradar-reference-sets-list' command.Required
valueComma-separated list of the values to add or update in the reference set. If the values are dates, the supported date formats are: epoch, ISO, and time range (<number> <time unit>', e.g., 12 hours, 7 days.).Required
sourceAn indication of where the data originated. Default is reference data api.Optional
date_valueTrue if the specified value type was date. Possible values are: true, false.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "name,timeout_type". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--reference_data-sets-name-POST.html.Optional

Context Output#

PathTypeDescription
QRadar.Reference.TimeoutTypeStringTimeout type of the reference set. Possible values: "UNKNOWN", "FIRST_SEEN", "LAST_SEEN".
QRadar.Reference.NumberOfElementsNumberNumber of elements in the reference set.
QRadar.Reference.TimeToLiveStringTime left to live for the reference.
QRadar.Reference.Data.LastSeenDateDate when this data was last seen.
QRadar.Reference.Data.FirstSeenDateDate when this data was first seen.
QRadar.Reference.Data.SourceStringSource of this data.
QRadar.Reference.Data.ValueStringData value.
QRadar.Reference.CreationTimeDateDate when the reference set was created.
QRadar.Reference.NameStringName of the reference set.
QRadar.Reference.ElementTypeStringType of the elements in the reference set.

Command example#

!qradar-reference-set-value-upsert ref_name="Malicious IPs" value="1.1.1.1,1.1.1.1,1.1.1.1"

Context Example#

{
"QRadar": {
"Reference": {
"CreationTime": "2023-08-02T08:39:30.887000+00:00",
"Data": [
{
"first_seen": 1690965572017,
"last_seen": 1690965572017,
"source": "reference data api",
"value": "1.1.1.1"
},
{
"first_seen": 1690965572017,
"last_seen": 1690965572017,
"source": "reference data api",
"value": "1.1.1.1"
},
{
"first_seen": 1690965572017,
"last_seen": 1690965572017,
"source": "reference data api",
"value": "1.1.1.1"
}
],
"ElementType": "IP",
"Name": "Malicious IPs",
"NumberOfElements": 3,
"TimeToLive": "1 years 0 mons 0 days 0 hours 0 mins 0.0 secs",
"TimeoutType": "FIRST_SEEN"
}
}
}

Human Readable Output#

Reference Update Create#

CreationTimeDataElementTypeNameNumberOfElementsTimeToLiveTimeoutType
2023-08-02T08:39:30.887000+00:00{'last_seen': 1690965572017, 'first_seen': 1690965572017, 'source': 'reference data api', 'value': '1.1.1.1'},
{'last_seen': 1690965572017, 'first_seen': 1690965572017, 'source': 'reference data api', 'value': '1.1.1.1'},
{'last_seen': 1690965572017, 'first_seen': 1690965572017, 'source': 'reference data api', 'value': '1.1.1.1'}
IPMalicious IPs31 years 0 mons 0 days 0 hours 0 mins 0.0 secsFIRST_SEEN

qradar-reference-set-value-delete#


Removes a value from a reference set.

Base Command#

qradar-reference-set-value-delete

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set from which to remove a value. Reference names can be found by the 'Name' field in the 'qradar-reference-sets-list' command.Required
valueThe value to remove from the reference set. If the specified value is date, the supported date formats are: epoch, ISO, and time range (<number> <time unit>, e.g., 12 hours, 7 days.).Required
date_valueTrue if the specified value type was date. Possible values are: True, False.Optional

Context Output#

There is no context output for this command.

Command example#

!qradar-reference-set-value-delete ref_name="Malicious IPs" value="1.1.1.1"

Human Readable Output#

value: 1.1.1.1 of reference: Malicious IPs was deleted successfully#

qradar-domains-list#


Gets the list of domains. You must have System Administrator or Security Administrator permissions to call this endpoint if you are trying to retrieve the details of all domains. You can retrieve details of domains that are assigned to your Security Profile without having the System Administrator or Security Administrator permissions. If you do not have the System Administrator or Security Administrator permissions, then for each domain assigned to your security profile you can only view the values for the ID and name fields. All other values return null.

Base Command#

qradar-domains-list

Input#

Argument NameDescriptionRequired
domain_idThe domain ID from which to retrieve its details. Specify domain_id to get details about a specific domain.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter domains, e.g., "id > 3". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,name". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--config-domain_management-domains-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.Domains.AssetScannerIDsNumberAsset scanner IDs that are associated with the domain.
QRadar.Domains.CustomPropertiesUnknownCustom properties of the domain.
QRadar.Domains.DeletedBooleanWhether the domain has been deleted.
QRadar.Domains.DescriptionStringDescription of the domain.
QRadar.Domains.EventCollectorIDsNumberEvent collector IDs that are assigned to this domain.
QRadar.Domains.FlowCollectorIDsNumberFlow collector IDs that are assigned to this domain.
QRadar.Domains.FlowSourceIDsNumberFlow source IDs that are assigned to this domain.
QRadar.Domains.IDNumberID of the domain.
QRadar.Domains.LogSourceGroupIDsNumberLog source group IDs that are assigned to this domain.
QRadar.Domains.LogSourceIDsNumberLog source IDs that are assigned to this domain.
QRadar.Domains.NameStringName of the domain.
QRadar.Domains.QVMScannerIDsNumberQVM scanner IDs that are assigned to this domain.
QRadar.Domains.TenantIDNumberID of the tenant that this domain belongs to.

Command example#

!qradar-domains-list

Context Example#

{
"QRadar": {
"Domains": {
"Deleted": false,
"Description": "",
"ID": 0,
"Name": "",
"TenantID": 0
}
}
}

Human Readable Output#

Domains List#

DeletedIDTenantID
false00

qradar-indicators-upload#


Uploads indicators to QRadar.

Base Command#

qradar-indicators-upload

Input#

Argument NameDescriptionRequired
ref_nameThe name of set to add or update data in. Reference names can be found by the 'Name' field in the 'qradar-reference-sets-list' command.Required
queryThe query for getting indicators from Cortex XSOAR.Optional
limitThe maximum number of indicators to fetch from Cortex XSOAR. Default is 50.Optional
pageThe page from which to get the indicators.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "name,timeout_type". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--reference_data-maps-bulk_load-namespace-name-domain_id-POST.html.Optional

Context Output#

PathTypeDescription
QRadar.Reference.TimeoutTypeStringTimeout type of the reference set. Possible values: "UNKNOWN", "FIRST_SEEN", "LAST_SEEN".
QRadar.Reference.NumberOfElementsNumberNumber of elements in the reference set.
QRadar.Reference.TimeToLiveStringTime left to live for the reference.
QRadar.Reference.Data.LastSeenDateDate when this data was last seen.
QRadar.Reference.Data.FirstSeenDateDate when this data was first seen.
QRadar.Reference.Data.SourceStringSource of this data.
QRadar.Reference.Data.ValueStringData value.
QRadar.Reference.CreationTimeDateDate when the reference set was created.
QRadar.Reference.NameStringName of the reference set.
QRadar.Reference.ElementTypeStringType of the elements in the reference set.

qradar-geolocations-for-ip#


Retrieves the MaxMind GeoIP data for the specified IP address.

Base Command#

qradar-geolocations-for-ip

Input#

Argument NameDescriptionRequired
ipComma-separated list of IPs fro which to retrieve their geolocation.Required
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "continent,ip_address". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--services-geolocations-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.GeoForIP.CityNameStringName of the city that is associated with the IP address.
QRadar.GeoForIP.ContinentNameStringName of the continent that is associated with the IP address.
QRadar.GeoForIP.LocationAccuracyRadiusNumberThe approximate accuracy radius in kilometers around the latitude and longitude for the IP address.
QRadar.GeoForIP.LocationAverageIncomeNumberThe average income associated with the IP address.
QRadar.GeoForIP.LocationLatitudeNumberThe approximate latitude of the location associated with the IP address.
QRadar.GeoForIP.LocationTimezoneStringTimezone of the location.
QRadar.GeoForIP.LocationLongitudeNumberThe approximate longitude of the location associated with the IP address.
QRadar.GeoForIP.LocationMetroCodeNumberThe metro code associated with the IP address. These are only available for IP addresses in the US. Returns the same metro codes as the Google AdWords API.
QRadar.GeoForIP.LocationPopulationDensityNumberThe estimated number of people per square kilometer.
QRadar.GeoForIP.PhysicalCountryIsoCodeStringISO code of country where MaxMind believes the end user is located.
QRadar.GeoForIP.PhysicalCountryNameStringName of country where MaxMind believes the end user is located.
QRadar.GeoForIP.RegisteredCountryIsoCodeStringISO code of the country that the ISP has registered the IP address.
QRadar.GeoForIP.RegisteredCountryNameStringName of the country that the ISP has registered the IP address.
QRadar.GeoForIP.RepresentedCountryIsoCodeStringISO code of the country that is represented by users of the IP address.
QRadar.GeoForIP.RepresentedCountryNameStringName of the country that is represented by users of the IP address.
QRadar.GeoForIP.RepresentedCountryConfidenceNumberValue between 0-100 that represents MaxMind's confidence that the represented country is correct.
QRadar.GeoForIP.IPAddressStringIP address to look up.
QRadar.GeoForIP.Traits.autonomous_system_numberNumberThe autonomous system number associated with the IP address.
QRadar.GeoForIP.Traits.autonomous_system_organizationStringThe organization associated with the registered autonomous system number for the IP address.
QRadar.GeoForIP.Traits.domainStringThe second level domain associated with the IP address.
QRadar.GeoForIP.Traits.internet_service_providerStringThe name of the internet service provider associated with the IP address.
QRadar.GeoForIP.Traits.organizationStringThe name of the organization associated with the IP address.
QRadar.GeoForIP.Traits.user_typeStringThe user type associated with the IP address.
QRadar.GeoForIP.CoordinatesNumberLatitude and longitude by MaxMind.
QRadar.GeoForIP.PostalCodeStringThe postal code associated with the IP address.
QRadar.GeoForIP.PostalCodeConfidenceNumberValue between 0-100 that represents MaxMind's confidence that the postal code is correct.

Command example#

!qradar-geolocations-for-ip ip="1.1.1.1,1.1.1.1" range=0-1

Context Example#

{
"QRadar": {
"GeoForIP": [
{
"CityName": "Mukilteo",
"ContinentName": "NorthAmerica",
"Coordinates": [
47.913,
-122.3042
],
"IPAddress": "1.1.1.1",
"LocationAccuracyRadius": 1000,
"LocationLatitude": 47.913,
"LocationLongitude": -122.3042,
"LocationMetroCode": 819,
"LocationTimezone": "America/Los_Angeles",
"PhysicalCountryIsoCode": "US",
"PhysicalCountryName": "United States",
"PostalCode": "98275",
"RegisteredCountryIsoCode": "US",
"RegisteredCountryName": "United States"
},
{
"CityName": "Mukilteo",
"ContinentName": "NorthAmerica",
"Coordinates": [
47.913,
-122.3042
],
"IPAddress": "1.1.1.1",
"LocationAccuracyRadius": 1000,
"LocationLatitude": 47.913,
"LocationLongitude": -122.3042,
"LocationMetroCode": 819,
"LocationTimezone": "America/Los_Angeles",
"PhysicalCountryIsoCode": "US",
"PhysicalCountryName": "United States",
"PostalCode": "98275",
"RegisteredCountryIsoCode": "US",
"RegisteredCountryName": "United States"
}
]
}
}

Human Readable Output#

Geolocation For IP#

CityNameContinentNameCoordinatesIPAddressLocationAccuracyRadiusLocationLatitudeLocationLongitudeLocationMetroCodeLocationTimezonePhysicalCountryIsoCodePhysicalCountryNamePostalCodeRegisteredCountryIsoCodeRegisteredCountryName
MukilteoNorthAmerica47.913,
-122.3042
1.1.1.1100047.913-122.3042819America/Los_AngelesUSUnited States98275USUnited States
MukilteoNorthAmerica47.913,
-122.3042
1.1.1.1100047.913-122.3042819America/Los_AngelesUSUnited States98275USUnited States

qradar-log-sources-list#


Retrieves a list of log sources.

Base Command#

qradar-log-sources-list

Input#

Argument NameDescriptionRequired
qrd_encryption_algorithmThe algorithm to use for encrypting the sensitive data of this endpoint. Possible values are: AES128, AES256. Default is AES128.Required
qrd_encryption_passwordThe password to use for encrypting the sensitive data of this endpoint. If password was not given, random password will be generated.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter log sources, e.g., "auto_discovered=false". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,name,status". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--config-event_sources-log_source_management-log_sources-GET.html.Optional
idID of a specific log source.Optional

Context Output#

PathTypeDescription
QRadar.LogSource.SendingIPStringIP of the system which the log source is associated with, or fed by.
QRadar.LogSource.InternalBooleanWhether log source is internal.
QRadar.LogSource.ProtocolParametersUnknownProtocol parameters.
QRadar.LogSource.DescriptionStringDescription of the log source.
QRadar.LogSource.EnabledBooleanWhether log source is enabled.
QRadar.LogSource.GroupIDsNumberLog source group IDs.
QRadar.LogSource.CredibilityNumberCredibility of the log source.
QRadar.LogSource.IDNumberID of the log source.
QRadar.LogSource.ProtocolTypeIDNumberProtocol type used by log source.
QRadar.LogSource.CreationDateDateDate when log source was created.
QRadar.LogSource.NameStringName of the log source.
QRadar.LogSource.AutoDiscoveredBooleanWhether log source was auto discovered.
QRadar.LogSource.ModifiedDateDateDate when log source was last modified.
QRadar.LogSource.TypeIDNumberThe log source type.
QRadar.LogSource.LastEventTimeDateDate when the last event was received by the log source.
QRadar.LogSource.GatewayBooleanWhether log source is configured as a gateway.
QRadar.LogSource.StatusUnknownStatus of the log source.

Command example#

!qradar-log-sources-list qrd_encryption_algorithm=AES128 range=0-2

Context Example#

{
"QRadar": {
"LogSource": [
{
"AutoDiscovered": false,
"CreationDate": "2022-11-21T18:45:24.624000+00:00",
"Credibility": 10,
"Description": "Search Results",
"Enabled": true,
"Gateway": false,
"GroupIDs": [
0
],
"ID": 68,
"Internal": true,
"LastEventTime": "1970-01-01T00:00:00+00:00",
"ModifiedDate": "2022-11-21T18:45:24.624000+00:00",
"Name": "Search Results-2 :: ip-172-31-17-10",
"ProtocolParameters": [
{
"id": 0,
"name": "identifier",
"value": "1.1.1.1"
},
{
"id": 1,
"name": "incomingPayloadEncoding",
"value": "UTF-8"
}
],
"ProtocolTypeID": 0,
"Status": {
"last_updated": 0,
"status": "NA"
},
"TypeID": 355
},
{
"AutoDiscovered": false,
"CreationDate": "2022-11-21T18:45:24.621000+00:00",
"Credibility": 10,
"Description": "System Notification",
"Enabled": true,
"Gateway": false,
"GroupIDs": [
0
],
"ID": 65,
"Internal": true,
"LastEventTime": "2023-08-02T08:39:00.106000+00:00",
"ModifiedDate": "2022-11-21T18:45:24.621000+00:00",
"Name": "System Notification-2 :: ip-172-31-17-10",
"ProtocolParameters": [
{
"id": 0,
"name": "identifier",
"value": "1.1.1.1"
},
{
"id": 1,
"name": "incomingPayloadEncoding",
"value": "UTF-8"
}
],
"ProtocolTypeID": 0,
"Status": {
"last_updated": 0,
"status": "SUCCESS"
},
"TypeID": 147
},
{
"AutoDiscovered": true,
"CreationDate": "2018-10-24T15:25:21.928000+00:00",
"Credibility": 5,
"Description": "WindowsAuthServer device",
"Enabled": true,
"Gateway": false,
"GroupIDs": [
0
],
"ID": 1262,
"Internal": false,
"LastEventTime": "2023-06-12T08:17:22.292000+00:00",
"ModifiedDate": "2023-02-23T14:12:45.774000+00:00",
"Name": "Experience Center: WindowsAuthServer @ 1.1.1.1",
"ProtocolParameters": [
{
"id": 0,
"name": "identifier",
"value": "1.1.1.1"
},
{
"id": 1,
"name": "incomingPayloadEncoding",
"value": "UTF-8"
}
],
"ProtocolTypeID": 0,
"Status": {
"last_updated": 0,
"messages": [
{
"severity": "ERROR",
"text": "Events have not been received from this Log Source in over 720 minutes."
}
],
"status": "ERROR"
},
"TypeID": 12
}
]
}
}

Human Readable Output#

Log Sources List#

IDNameDescriptionInternalProtocolParametersCredibilityGroupIDsCreationDateStatusEnabledProtocolTypeIDAutoDiscoveredGatewayTypeIDModifiedDateLastEventTime
68Search Results-2 :: ip-172-31-17-10Search Resultstrue{'name': 'identifier', 'id': 0, 'value': '1.1.1.1'},
{'name': 'incomingPayloadEncoding', 'id': 1, 'value': 'UTF-8'}
1002022-11-21T18:45:24.624000+00:00last_updated: 0
status: NA
true0falsefalse3552022-11-21T18:45:24.624000+00:001970-01-01T00:00:00+00:00
65System Notification-2 :: ip-172-31-17-10System Notificationtrue{'name': 'identifier', 'id': 0, 'value': '1.1.1.1'},
{'name': 'incomingPayloadEncoding', 'id': 1, 'value': 'UTF-8'}
1002022-11-21T18:45:24.621000+00:00last_updated: 0
status: SUCCESS
true0falsefalse1472022-11-21T18:45:24.621000+00:002023-08-02T08:39:00.106000+00:00
1262Experience Center: WindowsAuthServer @ 1.1.1.1WindowsAuthServer devicefalse{'name': 'identifier', 'id': 0, 'value': '1.1.1.1'},
{'name': 'incomingPayloadEncoding', 'id': 1, 'value': 'UTF-8'}
502018-10-24T15:25:21.928000+00:00last_updated: 0
messages: {'severity': 'ERROR', 'text': 'Events have not been received from this Log Source in over 720 minutes.'}
status: ERROR
true0truefalse122023-02-23T14:12:45.774000+00:002023-06-12T08:17:22.292000+00:00

qradar-get-custom-properties#


Retrieves a list of event regex properties.

Base Command#

qradar-get-custom-properties

Input#

Argument NameDescriptionRequired
field_nameA comma-separated list of names of the exact properties to search for.Optional
limitThe maximum number of regex event properties to fetch. Default is 25.Optional
like_nameA comma-separated list names of a properties to search for. Values are case insensitive.Optional
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter regex properties, e.g., "auto_discovered=false". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,gateway". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--config-event_sources-custom_properties-regex_properties-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.Properties.identifierStringID of the event regex property.
QRadar.Properties.modification_dateDateDate when the event regex property was last updated.
QRadar.Properties.datetime_formatStringDate/time pattern that the event regex property matches.
QRadar.Properties.property_typeStringProperty type. Possible values: "STRING", "NUMERIC", "IP", "PORT", "TIME".
QRadar.Properties.nameStringName of the event regex property.
QRadar.Properties.auto_discoveredBooleanWhether the event regex property was auto discovered.
QRadar.Properties.descriptionStringDescription of the event regex property.
QRadar.Properties.idNumberID of the event regex property.
QRadar.Properties.use_for_rule_engineBooleanWhether the event regex property is parsed when the event is received.
QRadar.Properties.creation_dateDateDate when the event regex property was created.
QRadar.Properties.localeStringLanguage tag of what locale the property matches.
QRadar.Properties.usernameStringThe owner of the event regex property.

Command example#

!qradar-get-custom-properties filter="id between 90 and 100" range=1-1231

Context Example#

{
"QRadar": {
"Properties": [
{
"auto_discovered": false,
"creation_date": "2012-07-04T17:05:02+00:00",
"datetime_format": "",
"description": "Default custom extraction of Event Summary from DSM payload.",
"id": 97,
"identifier": "DEFAULT_EVENT_SUMMARY",
"locale": "en-US",
"modification_date": "2022-11-21T18:44:07.572000+00:00",
"name": "Event Summary",
"property_type": "string",
"use_for_rule_engine": true,
"username": "admin"
},
{
"auto_discovered": false,
"creation_date": "2009-09-04T16:58:12.961000+00:00",
"datetime_format": "",
"description": "Default custom extraction of Avt-App-VolumePackets from DSM payload.",
"id": 99,
"identifier": "4d616180-00d0-4ba0-b423-bfb54e1b8677",
"locale": "en-US",
"modification_date": "2022-11-21T18:44:08.049000+00:00",
"name": "Packets",
"property_type": "numeric",
"use_for_rule_engine": false,
"username": "admin"
},
{
"auto_discovered": false,
"creation_date": "2010-07-27T13:32:44.494000+00:00",
"datetime_format": "NULL::character varying",
"description": "",
"id": 96,
"identifier": "8eb82a2c-bba7-478f-9248-69fba8baf8c7",
"locale": "NULL::character varying",
"modification_date": "2022-11-21T18:59:14.020000+00:00",
"name": "Parent",
"property_type": "string",
"use_for_rule_engine": true,
"username": "admin"
}
]
}
}

Human Readable Output#

Custom Properties#

auto_discoveredcreation_datedatetime_formatdescriptionididentifierlocalemodification_datenameproperty_typeuse_for_rule_engineusername
false2012-07-04T17:05:02+00:00Default custom extraction of Event Summary from DSM payload.97DEFAULT_EVENT_SUMMARYen-US2022-11-21T18:44:07.572000+00:00Event Summarystringtrueadmin
false2009-09-04T16:58:12.961000+00:00Default custom extraction of Avt-App-VolumePackets from DSM payload.994d616180-00d0-4ba0-b423-bfb54e1b8677en-US2022-11-21T18:44:08.049000+00:00Packetsnumericfalseadmin
false2010-07-27T13:32:44.494000+00:00NULL::character varying968eb82a2c-bba7-478f-9248-69fba8baf8c7NULL::character varying2022-11-21T18:59:14.020000+00:00Parentstringtrueadmin

qradar-reset-last-run#


Resets the fetch incidents last run value, which resets the fetch to its initial fetch state. (Will try to fetch the first available offense).

Base Command#

qradar-reset-last-run

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

get-mapping-fields#


Returns the list of fields for an incident type. This command should be used for debugging purposes.

Base Command#

get-mapping-fields

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

get-remote-data#


Gets remote data from a remote incident. This method does not update the current incident, and should be used for debugging purposes.

Base Command#

get-remote-data

Input#

Argument NameDescriptionRequired
idThe offense ID.Required
lastUpdateDate string in local time representing the last time the incident was updated. The incident is only returned if it was modified after the last update time.Required

Context Output#

There is no context output for this command.

get-modified-remote-data#


Returns the list of incidents IDs that were modified since the last update time. Note that this method is for debugging purposes. The get-modified-remote-data command is used as part of the mirroring feature, which is available from version 6.1.

Base Command#

get-modified-remote-data

Input#

Argument NameDescriptionRequired
lastUpdateDate string in local time representing the last time the incident was updated. The incident is only returned if it was modified after the last update time.Optional

Context Output#

There is no context output for this command.

qradar-offenses#


Gets offenses from QRadar.

Base Command#

qradar-offenses

Input#

Argument NameDescriptionRequired
filterQuery by which to filter offenses. For reference, consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.html.Optional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not explicitly named, are excluded. Specify subfields in brackets and multiple fields in the same object separated by commas. The filter uses QRadar's field names. For reference, consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-GET.html.Optional
rangeRange of results to return. e.g.: 0-20.Optional
headersTable headers to use the human readable output (if none provided, will show all table headers).Optional

Context Output#

PathTypeDescription
QRadar.Offense.FollowupbooleanOffense followup.
QRadar.Offense.CredibilitynumberThe credibility of the offense.
QRadar.Offense.RelevancenumberThe relevance of the offense.
QRadar.Offense.SeveritynumberThe severity of the offense.
QRadar.Offense.SourceAddressUnknownThe source addresses that are associated with the offense.
QRadar.Offense.DestinationAddressUnknownThe destination addresses that are associated with the offense.
QRadar.Offense.AssignedTostringThe user the offense is assigned to.
QRadar.Offense.StartTimedateThe time (ISO) when the offense was started.
QRadar.Offense.IDintThe ID of the offense.
QRadar.Offense.DestinationHostnameUnknownDestintion hostname.
QRadar.Offense.DescriptionstringThe description of the offense.
QRadar.Offense.EventCountnumberThe number of events that are associated with the offense.
QRadar.Offense.OffenseSourcestringThe source of the offense.
QRadar.Offense.StatusstringThe status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
QRadar.Offense.MagnitudenumberThe magnitude of the offense.
QRadar.Offense.ClosingUserstringThe user that closed the offense.
QRadar.Offense.ClosingReasonstringThe offense closing reason.
QRadar.Offense.CloseTimedateThe time when the offense was closed.
QRadar.Offense.LastUpdatedTimedateThe time (ISO) when the offense was last updated.
QRadar.Offense.CategoriesUnknownEvent categories that are associated with the offense.
QRadar.Offense.FlowCountnumberThe number of flows that are associated with the offense.
QRadar.Offense.FollowUpbooleanOffense followup.
QRadar.Offense.OffenseTypestringA number that represents the offense type.
QRadar.Offense.ProtectedbooleanIs the offense protected.
QRadar.Offense.RemoteDestinationCountUnknownThe remote destinations that are associated with the offesne. If this value is greater than 0 that means your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip

qradar-offense-by-id#


Gets offense with matching offense ID from qradar.

Base Command#

qradar-offense-by-id

Input#

Argument NameDescriptionRequired
offense_idOffense ID.Required
filterQuery to filter offense. For reference please consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.html.Optional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not explicitly named are excluded. Specify subfields in brackets and multiple fields in the same object separated by commas. The filter uses QRadar's field names, for reference, consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-GET.html.Optional
headersTable headers to use in the human readable output (if none provided, will show all table headers).Optional

Context Output#

PathTypeDescription
QRadar.Offense.FollowupbooleanOffense followup.
QRadar.Offense.CredibilitynumberThe credibility of the offense.
QRadar.Offense.RelevancenumberThe relevance of the offense.
QRadar.Offense.SeveritynumberThe severity of the offense.
QRadar.Offense.SourceAddressUnknownThe source addresses that are associated with the offense.
QRadar.Offense.DestinationAddressUnknownThe local destination addresses that are associated with the offense. If your offense has a remote destination, you will need to use the QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip.
QRadar.Offense.RemoteDestinationCountUnknownThe remote destination that are associated with the offesne. If this value is greater than 0, it means that your offense has a remote destination, you will need to use the QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip.
QRadar.Offense.AssignedTostringThe user the offense is assigned to.
QRadar.Offense.StartTimedateThe time (ISO) when the offense was started.
QRadar.Offense.IDintThe ID of the offense.
QRadar.Offense.DestinationHostnameUnknownDestintion hostname.
QRadar.Offense.DescriptionstringThe description of the offense.
QRadar.Offense.EventCountnumberThe number of events that are associated with the offense.
QRadar.Offense.OffenseSourcestringThe source of the offense.
QRadar.Offense.StatusstringThe status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
QRadar.Offense.MagnitudenumberThe magnitude of the offense.
QRadar.Offense.ClosingUserstringThe user that closed the offense.
QRadar.Offense.ClosingReasonstringThe offense closing reason.
QRadar.Offense.CloseTimedateThe time when the offense was closed.
QRadar.Offense.LastUpdatedTimedateThe time (ISO) when the offense was last updated.
QRadar.Offense.CategoriesUnknownEvent categories that are associated with the offense.
QRadar.Offense.FlowCountnumberThe number of flows that are associated with the offense.
QRadar.Offense.FollowUpbooleanOffense followup.
QRadar.Offense.OffenseTypestringA number that represents the offense type.
QRadar.Offense.ProtectedbooleanIs the offense protected.

| QRadar.Offense.RemoteDestinationCount | Unknown | The remote destinations that are associated with the offesne. If this value is greater than 0 that means your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip |

qradar-searches#


Searches in QRadar using AQL. It is highly recommended to use the playbook 'QRadarFullSearch' instead of this command - it will execute the search, and will return the result.

Base Command#

qradar-searches

Input#

Argument NameDescriptionRequired
query_expressionThe query expressions in AQL (for more information about Ariel Query Language, review "https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/com.ibm.qradar.doc/c_aql_intro.html").Required
headersTable headers to use the human readable output (if none provided, will show all table headers).Optional

Context Output#

PathTypeDescription
QRadar.Search.IDnumberSearch ID.
QRadar.Search.StatusstringThe status of the search.

qradar-get-search#


Gets a specific search id and status.

Base Command#

qradar-get-search

Input#

Argument NameDescriptionRequired
search_idThe search id.Required
headersTable headers to use the human readable output (if none provided, will show all table headers).Optional

Context Output#

PathTypeDescription
QRadar.Search.IDnumberSearch ID.
QRadar.Search.StatusstringThe status of the search.

qradar-get-search-results#


Gets search results.

Base Command#

qradar-get-search-results

Input#

Argument NameDescriptionRequired
search_idThe search id.Required
rangeRange of results to return. e.g.: 0-20.Optional
headersTable headers to use the human readable output (if none provided, will show all table headers).Optional
output_pathReplaces the default context output path for the query result (QRadar.Search.Result). e.g. for output_path=QRadar.Correlations the result will be under the key "QRadar.Correlations" in the context data.Optional

Context Output#

PathTypeDescription
QRadar.Search.ResultUnknownThe result of the search.

qradar-get-assets#


List all assets found in the model.

Base Command#

qradar-get-assets

Input#

Argument NameDescriptionRequired
filterQuery to filter assets. For reference please consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.html.Optional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object separated by commas. The filter uses QRadar's field names, for reference, consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--asset_model-assets-GET.html.Optional
rangeRange of results to return. e.g.: 0-20.Optional
headersTable headers to use the human readable output (if none provided, will show all table headers).Optional

Context Output#

PathTypeDescription
QRadar.Asset.IDnumberThe ID of the asset.
Endpoint.IPAddressUnknownIP address of the asset.
QRadar.Asset.Name.ValuestringName of the asset.
Endpoint.OSnumberAsset OS.
QRadar.Asset.AggregatedCVSSScore.ValuenumberCVSSScore.
QRadar.Asset.AggregatedCVSSScore.LastUserstringLast user who updated the Aggregated CVSS Score.
QRadar.Asset.Weight.ValuenumberAsset weight.
QRadar.Asset.Weight.LastUserstringLast user who updated the weight.
QRadar.Asset.Name.LastUserstringLast user who updated the name.

qradar-get-asset-by-id#


Retrieves the asset by id.

Base Command#

qradar-get-asset-by-id

Input#

Argument NameDescriptionRequired
asset_idThe ID of the requested asset.Required

Context Output#

PathTypeDescription
QRadar.Asset.IDnumberThe ID of the asset.
Endpoint.MACAddressUnknownAsset MAC address.
Endpoint.IPAddressUnknownIP address of the endpoint.
QRadar.Asset.ComplianceNotes.ValuestringCompliance notes.
QRadar.Asset.CompliancePlan.ValuestringCompliance plan.
QRadar.Asset.CollateralDamagePotential.ValueUnknownCollateral damage potential.
QRadar.Asset.AggregatedCVSSScore.ValuenumberCVSSScore.
QRadar.Asset.Name.ValuestringName of the asset.
QRadar.Asset.GroupNamestringName of the asset's group.
Endpoint.DomainUnknownDNS name.
Endpoint.OSUnknownAsset OS.
QRadar.Asset.Weight.ValuenumberAsset weight.
QRadar.Asset.Vulnerabilities.ValueUnknownVulnerabilities.
QRadar.Asset.LocationstringLocation.
QRadar.Asset.DescriptionstringThe asset description.
QRadar.Asset.SwitchIDnumberSwitch ID.
QRadar.Asset.SwitchPortnumberSwitch port.
QRadar.Asset.Name.LastUserstringLast user who updated the name.
QRadar.Asset.AggregatedCVSSScore.LastUserstringLast user who updated the Aggregated CVSS Score.
QRadar.Asset.Weight.LastUserstringLast user who updated the weight.
QRadar.Asset.ComplianceNotes.LastUserstringLast user who updated the compliance notes.
QRadar.Asset.CompliancePlan.LastUserstringLast user who updated the compliance plan.
QRadar.Asset.CollateralDamagePotential.LastUserstringLast user who updated the collateral damage potential.
QRadar.Asset.Vulnerabilities.LastUserstringLast user who updated the vulnerabilities.

qradar-get-closing-reasons#


Get closing reasons.

Base Command#

qradar-get-closing-reasons

Input#

Argument NameDescriptionRequired
include_reservedIf true, reserved closing reasons are included in the response. Possible values are: true, false. Default is true.Optional
include_deletedIf true, deleted closing reasons are included in the response. Possible values are: true, false. Default is true.Optional
filterQuery to filter results. For reference, consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.html.Optional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not explicitly named are excluded. Specify subfields in brackets and multiple fields in the same object separated by commas. The filter uses QRadar's field names. For reference, consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offense_closing_reasons-GET.html.Optional
rangeRange of results to return. e.g.: 0-20.Optional

Context Output#

PathTypeDescription
QRadar.Offense.ClosingReasons.IDnumberClosing reason ID.
QRadar.Offense.ClosingReasons.NamestringClosing reason name.

qradar-get-note#


Retrieve a note for an offense.

Base Command#

qradar-get-note

Input#

Argument NameDescriptionRequired
offense_idThe offense ID to retrieve the note from.Required
note_idThe note ID.Optional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not explicitly named are excluded. Specify subfields in brackets and multiple fields in the same object separated by commas. The filter uses QRadar's field names. For reference, consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-note_id-GET.html.Optional
headersTable headers to use the human readable output (if none provided, will show all table headers).Optional

Context Output#

PathTypeDescription
QRadar.Note.IDnumberNote ID.
QRadar.Note.TextstringNote text.
QRadar.Note.CreateTimedateThe creation time of the note.
QRadar.Note.CreatedBystringThe user who created the note.

qradar-create-note#


Create a note on an offense.

Base Command#

qradar-create-note

Input#

Argument NameDescriptionRequired
offense_idThe offense ID to add the note to.Required
note_textThe note text.Required
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not explicitly named are excluded. Specify subfields in brackets and multiple fields in the same object separated by commas. The filter uses QRadar's field names. For reference, consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-POST.html.Optional
headersTable headers to use the human readable output (if none provided, will show all table headers).Optional

Context Output#

PathTypeDescription
QRadar.Note.IDnumberNote ID.
QRadar.Note.TextstringNote text.
QRadar.Note.CreateTimedateThe creation time of the note.
QRadar.Note.CreatedBystringThe user who created the note.

qradar-get-reference-by-name#


Information about the reference set that had data added or updated. This returns the information set, but not the contained data. This feature is supported from version 8.1 and upward.

Base Command#

qradar-get-reference-by-name

Input#

Argument NameDescriptionRequired
ref_nameThe name of the requestered reference.Required
headersTable headers to use in the human readable output (if none provided, will show all table headers).Optional
date_valueIf set to true will try to convert the data values to ISO-8601 string. Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
QRadar.Reference.NamestringThe name of the reference set.
QRadar.Reference.CreationTimedateThe creation time (ISO) of the reference.
QRadar.Reference.ElementTypestringReference element type.
QRadar.Reference.NumberOfElementsnumberNumber of elements.
QRadar.Reference.TimeToLivestringReference time to live.
QRadar.Reference.TimeoutTypestringReference timeout type. Valid values are: UNKNOWN, FIRST_SEEN, LAST_SEEN.
QRadar.Reference.DataUnknownReference set items.

qradar-create-reference-set#


Creates a new reference set. If the provided name is already in use, this command will fail.

Base Command#

qradar-create-reference-set

Input#

Argument NameDescriptionRequired
ref_nameReference name to be created.Required
element_typeThe element type for the values allowed in the reference set. The allowed values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE. Note that date values need to be represented in milliseconds since the Unix Epoch January 1st 1970. Possible values are: ALN, ALNIC, IP, NUM, PORT, DATE.Required
timeout_typeThe allowed values are "FIRST_SEEN", LAST_SEEN and UNKNOWN. The default value is UNKNOWN. Possible values are: FIRST_SEEN, LAST_SEEN, UNKNOWN.Optional
time_to_liveThe time to live interval, for example: "1 month" or "5 minutes".Optional

Context Output#

PathTypeDescription
QRadar.Reference.CreationTimedateCreation time of the reference set.
QRadar.Reference.ElementTypestringThe element type for the values allowed in the reference set. The allowed values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE.
QRadar.Reference.NamestringName of the reference set.
QRadar.Reference.NumberOfElementsnumberNumber of elements in the created reference set.
QRadar.Reference.TimeoutTypestringTimeout type of the reference. The allowed values are FIRST_SEEN, LAST_SEEN and UNKNOWN.

qradar-delete-reference-set#


Deletes a reference set corresponding to the name provided.

Base Command#

qradar-delete-reference-set

Input#

Argument NameDescriptionRequired
ref_nameThe name of reference set to delete.Required

Context Output#

There is no context output for this command.

qradar-create-reference-set-value#


Add or update a value in a reference set.

Base Command#

qradar-create-reference-set-value

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set to add or update a value in.Required
valueThe value/s to add or update in the reference set. Note: Date values must be represented in epoch in reference sets (milliseconds since the Unix Epoch January 1st 1970). If 'date_value' is set to 'True', then the argument will be converted from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch.Required
sourceAn indication of where the data originated. The default value is 'reference data api'.Optional
date_valueIf set to True, will convert 'value' argument from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch. Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
QRadar.Reference.NamestringThe name of the reference set.
QRadar.Reference.CreationTimedateThe creation time (ISO) of the reference.
QRadar.Reference.ElementTypestringReference element type.
QRadar.Reference.NumberOfElementsnumberNumber of elements.
QRadar.Reference.TimeoutTypestringReference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN.

qradar-update-reference-set-value#


Adds or updates a value in a reference set.

Base Command#

qradar-update-reference-set-value

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set to add or update a value in.Required
valueA comma-separated list of values to add or update in the reference set. Date values must be represented in milliseconds since the Unix Epoch January 1st 1970.Required
sourceAn indication of where the data originated. The default value is 'reference data api'.Optional
date_valueIf set to True, will convert 'value' argument from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch. Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
QRadar.Reference.NamestringThe name of the reference set.
QRadar.Reference.CreationTimedateThe creation time (ISO) of the reference.
QRadar.Reference.ElementTypestringReference element type.
QRadar.Reference.NumberOfElementsnumberNumber of elements.
QRadar.Reference.TimeoutTypestringReference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN

qradar-delete-reference-set-value#


Deletes a value in a reference set.

Base Command#

qradar-delete-reference-set-value

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set to remove a value from.Required
valueThe value to remove from the reference set.Required
date_valueIf set to True will convert 'value' argument from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g., '2018-11-06T08:56:41.000000Z') to epoch. Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
QRadar.Reference.NamestringThe name of the reference set.
QRadar.Reference.CreationTimedateThe creation time (ISO) of the reference.
QRadar.Reference.ElementTypestringReference element type.
QRadar.Reference.NumberOfElementsnumberNumber of elements.
QRadar.Reference.TimeoutTypestringReference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN.

qradar-delete-reference-set-value#


Deletes a value in a reference set.

Base Command#

qradar-delete-reference-set-value

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set to remove a value from.Required
valueThe value to remove from the reference set.Required
date_valueIf set to True will convert 'value' argument from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch. Possible values are: True, False. Default is False.Optional

Context Output#

PathTypeDescription
QRadar.Reference.NamestringThe name of the reference set.
QRadar.Reference.CreationTimedateThe creation time (ISO) of the reference.
QRadar.Reference.ElementTypestringReference element type.
QRadar.Reference.NumberOfElementsnumberNumber of elements.
QRadar.Reference.TimeoutTypestringReference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN

qradar-get-domains#


Retrieve all Domains.

Base Command#

qradar-get-domains

Input#

Argument NameDescriptionRequired
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not explicitly named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-note_id-GET.html.Optional
rangeNumber of results in return.Optional
filterQuery to filter offenses.Optional

Context Output#

PathTypeDescription
QRadar.Domains.AssetScannerIDsNumberArray of Asset Scanner IDs.
QRadar.Domains.CustomPropertiesStringCustom properties of the domain.
QRadar.Domains.DeletedBooleanIndicates if the domain is deleted.
QRadar.Domains.DescriptionStringDescription of the domain.
QRadar.Domains.EventCollectorIDsNumberArray of Event Collector IDs.
QRadar.Domains.FlowCollectorIDsNumberArray of Flow Collector IDs.
QRadar.Domains.FlowSourceIDsNumberArray of Flow Source IDs.
QRadar.Domains.IDNumberID of the domain.
QRadar.Domains.LogSourceGroupIDsNumberArray of Log Source Group IDs.
QRadar.Domains.LogSourceIDsNumberArray of Log Source IDs.
QRadar.Domains.NameStringName of the Domain.
QRadar.Domains.QVMScannerIDsNumberArray of QVM Scanner IDs.
QRadar.Domains.TenantIDNumberID of the Domain tenant.

qradar-get-domain-by-id#


Retrieves Domain information By ID.

Base Command#

qradar-get-domain-by-id

Input#

Argument NameDescriptionRequired
idID of the domain.Required
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not explicitly named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-note_id-GET.html.Optional

Context Output#

PathTypeDescription
QRadar.Domains.AssetScannerIDsNumberArray of Asset Scanner IDs.
QRadar.Domains.CustomPropertiesStringCustom properties of the domain.
QRadar.Domains.DeletedBooleanIndicates if the domain is deleted.
QRadar.Domains.DescriptionStringDescription of the domain.
QRadar.Domains.EventCollectorIDsNumberArray of Event Collector IDs.
QRadar.Domains.FlowCollectorIDsNumberArray of Flow Collector IDs.
QRadar.Domains.FlowSourceIDsNumberArray of Flow Source IDs.
QRadar.Domains.IDNumberID of the domain.
QRadar.Domains.LogSourceGroupIDsNumberArray of Log Source Group IDs.
QRadar.Domains.LogSourceIDsNumberArray of Log Source IDs.
QRadar.Domains.NameStringName of the Domain.
QRadar.Domains.QVMScannerIDsNumberArray of QVM Scanner IDs.
QRadar.Domains.TenantIDNumberID of the Domain tenant.

qradar-upload-indicators#


Uploads indicators from Demisto to QRadar.

Base Command#

qradar-upload-indicators

Input#

Argument NameDescriptionRequired
ref_nameThe name of the reference set to add or update a value in. To create a new reference set, you need to set the element type.Required
element_typeThe element type for the values permitted in the reference set. Only required when creating a new reference set. The valid values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE. Note that date values need to be represented in milliseconds since the Unix Epoch January 1st 1970. Possible values are: ALN, ALNIC, IP, NUM, PORT, DATE.Optional
timeout_typeThe timeout_type can be "FIRST_SEEN", "LAST_SEEN", or "UNKNOWN". The default value is UNKNOWN. Only required for creating a new reference set. Possible values are: FIRST_SEEN, LAST_SEEN, UNKNOWN.Optional
time_to_liveThe time to live interval, for example: "1 month" or "5 minutes". Only required when creating a new reference set.Optional
queryThe query for getting indicators.Required
limitThe maximum number of indicators to return. The default value is 1000. Default is 1000.Optional
pageThe page from which to get the indicators. Default is 0.Optional

Context Output#

There is no context output for this command.

qradar-ips-source-get#


Get Source IPs

Base Command#

qradar-ips-source-get

Input#

Argument NameDescriptionRequired
source_ipComma separated list. Source IPs to retrieve their data, E.g "1.1.1.1,1.1.1.1".Optional
filterQuery to filter IPs. E.g, filter=source_ip="1.1.1.1". For reference please consult: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsIf used, will filter all fields except for the ones specified. Use this argument to specify which fields should be returned in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object separated by commas. The filter uses QRadar's field names, for reference, consult: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--siem-source_addresses-GET.html.Optional
rangeRange of results to return. e.g.: 0-20.Optional

Context Output#

PathTypeDescription
QRadar.SourceIP.IDNumberThe ID of the destination address.
QRadar.SourceIP.DomainIDStringThe ID of associated domain.
QRadar.SourceIP.EventFlowCountNumberThe number of events and flows that are associated with the destination address.
QRadar.SourceIP.FirstEventFlowSeenDateDate when the first event or flow was seen.
QRadar.SourceIP.LastEventFlowSeenDateDate when the last event or flow was seen.
QRadar.SourceIP.SourceIPStringThe IP address.
QRadar.SourceIP.MagnitudeNumberThe magnitude of the destination address.
QRadar.SourceIP.NetworkStringThe network of the destination address.
QRadar.SourceIP.OffenseIDsUnknownList of offense IDs the destination address is part of.
QRadar.SourceIP.LocalDestinationAddressIDsUnknownList of local destination address IDs associated with the source address.

Command example#

!qradar-ips-source-get filter=`source_ip="1.1.1.1"` range=0-2

Context Example#

{
"QRadar": {
"SourceIP": {
"DomainID": 0,
"EventFlowCount": 654,
"FirstEventFlowSeen": "2023-07-26T14:31:44.753000+00:00",
"ID": 31,
"LastEventFlowSeen": "2023-07-26T15:31:06.386000+00:00",
"LocalDestinationAddressIDs": [
64
],
"Magnitude": 0,
"Network": "Net-10-172-192.Net_192_168_0_0",
"OffenseIDs": [
14
],
"SourceIP": "1.1.1.1"
}
}
}

Human Readable Output#

Source IPs#

DomainIDEventFlowCountFirstEventFlowSeenIDLastEventFlowSeenLocalDestinationAddressIDsMagnitudeNetworkOffenseIDsSourceIP
06542023-07-26T14:31:44.753000+00:00312023-07-26T15:31:06.386000+00:00640Net-10-172-192.Net_192_168_0_0141.1.1.1

qradar-ips-local-destination-get#


Get Source IPs

Base Command#

qradar-ips-local-destination-get

Input#

Argument NameDescriptionRequired
local_destination_ipComma separated list. Local destination IPs to retrieve their data, E.g "1.1.1.1,1.1.1.1".Optional
filterQuery to filter IPs. E.g, filter=local_destination_ip="1.1.1.1" For reference please consult: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsIf used, will filter all fields except for the ones specified. Use this argument to specify which fields should be returned in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object separated by commas. The filter uses QRadar's field names, for reference, consult: https://ibmsecuritydocs.github.io/qradar_api_14.0/14.0--siem-local_destination_addresses-GET.html.Optional
rangeRange of results to return. e.g.: 0-20.Optional

Context Output#

PathTypeDescription
QRadar.LocalDestinationIP.IDNumberThe ID of the destination address.
QRadar.LocalDestinationIP.DomainIDStringThe ID of associated domain.
QRadar.LocalDestinationIP.EventFlowCountNumberThe number of events and flows that are associated with the destination address.
QRadar.LocalDestinationIP.FirstEventFlowSeenDateDate when the first event or flow was seen.
QRadar.LocalDestinationIP.LastEventFlowSeenDateDate when the last event or flow was seen.
QRadar.LocalDestinationIP.LocalDestinationIPStringThe IP address.
QRadar.LocalDestinationIP.MagnitudeNumberThe magnitude of the destination address.
QRadar.LocalDestinationIP.NetworkStringThe network of the destination address.
QRadar.LocalDestinationIP.OffenseIDsUnknownList of offense IDs the destination address is part of.
QRadar.LocalDestinationIP.SourceAddressIDsUnknownList of source address IDs associated with the destination address.

Command example#

``!qradar-ips-local-destination-get filter=local_destination_ip="1.1.1.1"````

Human Readable Output#

Local Destination IPs#

No entries.

qradar-search-retrieve-events#


Polling command to search for events of a specific offense.

Base Command#

qradar-search-retrieve-events

Input#

Argument NameDescriptionRequired
offense_idThe ID of the offense to retrieve. Mutually exclusive with query_expression.Optional
events_limitThe number of events to return. Mutually exclusive with query_expression.Optional
events_columnsComma separated list of columns to return. Mutually exclusive with query_expression.Optional
fetch_modeThe mode to use when fetching events. Mutually exclusive with query_expression. Possible values are: Fetch With All Events, Fetch Correlation Events Only.Optional
start_timeThe start time of the search. Mutually exclusive with query_expression.Optional
query_expressionThe AQL query to execute. Mutually exclusive with the other arguments.Optional
interval_in_secondsThe interval in seconds to use when polling events.Optional
search_idThe search id to query the results.Optional
retry_if_not_all_fetchedWhenever set to true, the command retries to fetch all events if the number of events fetched is less than event_count. Possible values are: true, false.Optional
pollingWait for search results. Possible values are: true, false.Optional

Context Output#

PathTypeDescription
QRadar.SearchEvents.IDUnknownThe search id of the query.
QRadar.SearchEvents.EventsUnknownThe events from QRadar search.
QRadar.SearchEvents.StatusUnknownThe status of the search ('wait', 'partial', 'success').

Command example#

!qradar-search-retrieve-events offense_id=14

Context Example#

{
"QRadar": {
"SearchEvents": {
"ID": "9c2c18a8-5e06-4edb-bc26-53ad44421148",
"Status": "wait"
}
}
}

Human Readable Output#

Search ID: 9c2c18a8-5e06-4edb-bc26-53ad44421148

qradar-remote-network-cidr-create#


Create remote network CIDRs.

Base Command#

qradar-remote-network-cidr-create

Input#

Argument NameDescriptionRequired
cidrsAn input list of CIDRs to add to QRadar (can be obtained automatically from EDL integrations and playbook). Multiple values in the same object are separated by commas. A CIDR or query is required.Optional
queryThe query for getting indicators from Cortex XSOAR. A CIDR or query is required.Optional
nameA CIDR (remote network) name that will be displayed for all uploaded values in QRadar.Required
descriptionDescription that will be displayed and associated with all the newly uploaded CIDRs in QRadar.Required
groupThe exact name of the remote network group that CIDRs should be associated with as it appears in QRadar. A single group can be assigned to each create command. A new remote network group can be created in QRadar by giving a new unique remote network group name (that does not already exist in QRadar remote networks).Required
fieldsUse this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded from the output. Specify subfields in brackets, and multiple fields in the same object are separated by commas. The possible fields are id, group, name, CIDR, and description.Optional

Context Output#

There is no context output for this command.

qradar-remote-network-cidr-list#


Retrieves the list of staged remote networks.

Base Command#

qradar-remote-network-cidr-list

Input#

Argument NameDescriptionRequired
limitThe maximum number of results to return. The default is 50.Optional
pageThe page offset.Optional
page_sizeMaximum number of results to retrieve in each page.Optional
groupThe name of the remote network group that the CIDRs are associated with, as it appears in QRadar.Optional
idID of the CIDR (remote network).Optional
nameThe name of the CIDRs (remote network) as it appears in QRadar.Optional
filterAdditional options to filter results using a query expression.Optional
fieldsUse this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. By default, this argument returns all fields (id, name, cidrs, group, description).Optional

Context Output#

PathTypeDescription
QRadar.RemoteNetworkCIDRNumberA list of all the retrieved CIDRs.
QRadar.RemoteNetworkCIDR.idNumberID of each CIDR remote network that is part of the group.
QRadar.RemoteNetworkCIDR.nameStringThe associated CIDR name as it appears in QRadar.
QRadar.RemoteNetworkCIDR.descriptionStringThe associated CIDR description as it appears in QRadar.

qradar-remote-network-cidr-delete#


Deletes an existing staged remote network.

Base Command#

qradar-remote-network-cidr-delete

Input#

Argument NameDescriptionRequired
idID that is used to locate the staged remote network that users want to remove from QRadar.Required

Context Output#

There is no context output for this command.

qradar-remote-network-cidr-update#


Updates an existing staged remote network.

Base Command#

qradar-remote-network-cidr-update

Input#

Argument NameDescriptionRequired
idThe ID that is associated with the CIDR object that needs to be modified.Required
nameThe CIDR name in QRadar. If the CIDR name should be changed, it can be inserted here.Required
cidrsAn input list of CIDRs to add to QRadar (can be obtained automatically from EDL integrations and playbook). Multiple values in the same object are separated by commas. A CIDR or query is required.Optional
queryThe query for getting indicators from Cortex XSOAR. A CIDR or query is required.Optional
descriptionCIDR associated description presented in QRadar. If the CIDR description should be changed, it can be inserted here.Required
groupThe remote network group that CIDRs should belong to. If the CIDR-associated group should be changed, it can be inserted here.Required
fieldsUse this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets, and multiple fields in the same object are separated by commas. The possible fields are id,group,name,cidr,description.Optional

Context Output#

PathTypeDescription
QRadar.RemoteNetworkCIDRNumberA list of all the CIDR ranges that were changed.
QRadar.RemoteNetworkCIDR.idNumberThe associated CIDR ID.
QRadar.RemoteNetworkCIDR.nameStringThe associated CIDR name.
QRadar.RemoteNetworkCIDR.groupStringThe group to which the remote network belongs.
QRadar.RemoteNetworkCIDR.descriptionStringThe description of the remote network.

qradar-remote-network-deploy-execution#


Executes a deployment. Potentially harmful: This API command executes any waiting system deployments in QRadar within the same deployment type and hosts defined.

Base Command#

qradar-remote-network-deploy-execution

Input#

Argument NameDescriptionRequired
host_ipThe IP of QRadar console host.Required
statusThe deployment status. Must be in capital letters (“INITIATING”). Possible values are: INITIATING.Optional
deployment_typeThe deployment type. Must be in capital letters (“INCREMENTAL” or “FULL”). Possible values are: INCREMENTAL, FULL.Required

Context Output#

PathTypeDescription
QRadar.deploy.statusStringThe deployment status (INITIALIZING, IN_PROGRESS, COMPLETE).

qradar-log-source-extensions-list#


Retrieves a list of log source extensions.

Base Command#

qradar-log-source-extensions-list

Input#

Argument NameDescriptionRequired
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter disconnected log collectors, e.g., "protocol=udp". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,name,protocol". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_20.0/20.0--config-event_sources-log_source_management-log_source_extensions-GET.html.Optional
idID of a specific disconnected log collector.Optional

Context Output#

PathTypeDescription
QRadar.LogSourceExtension.NameStringThe name of the log source extension.
QRadar.LogSourceExtension.DescriptionStringThe description of the log source extension.
QRadar.LogSourceExtension.IDNumberThe ID of the extension.
QRadar.LogSourceExtension.UUIDStringThe UUID string of the log source extension.

qradar-log-source-delete#


Deletes a log source by ID or name. One of the arguments must be provided.

Base Command#

qradar-log-source-delete

Input#

Argument NameDescriptionRequired
idThe ID of the log source to be deleted. If this argument is not provided, name must be provided.Optional
nameThe unique name of the log source to be deleted. If this argument is not provided, the ID must be provided.Optional

Context Output#

There is no context output for this command.

qradar-wincollect-destinations-list#


Retrieves a list of WinCollect destinations. In order to get wincollect_internal_destination_ids - filter internal=true needs to be used In order to get wincollect_external_destination_ids - filter internal=false needs to be used.

Base Command#

qradar-wincollect-destinations-list

Input#

Argument NameDescriptionRequired
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter wincollect destinations, e.g., "internal=true". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,name,host". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_20.0/20.0--config-event_sources-wincollect-wincollect_destinations-GET.html.Optional
idID of a specific WinCollect destination.Optional

Context Output#

PathTypeDescription
QRadar.WinCollectDestination.IDNumberThe ID of the WinCollect destination.
QRadar.WinCollectDestination.NameStringThe name of the WinCollect destination.
QRadar.WinCollectDestination.HostStringThe IP or hostname of the WinCollect destination. WinCollect agents that use this destination send syslog event data to this host.
QRadar.WinCollectDestination.TlsCertificateStringThe TLS Certificate of the WinCollect destination.
QRadar.WinCollectDestination.PortNumberThe listen port of the WinCollect destination. WinCollect agents that use this destination send syslog event data to this port.
QRadar.WinCollectDestination.TransportProtocolStringThe protocol that is used to send event data to this WinCollect destination. Possible values are TCP or UDP.
QRadar.WinCollectDestination.IsInternalBooleanSet to "true" if the destination corresponds to a QRadar event collector process from this deployment; otherwise, it is set to false if it is any other host.
QRadar.WinCollectDestination.EventRateThrottleNumberThe events-per-second rate that is used to throttle the event flow to this destination.

qradar-log-source-create#


Creates a new log source.

Base Command#

qradar-log-source-create

Input#

Argument NameDescriptionRequired
nameThe unique name of the log source.Required
protocol_type_idThe type of protocol that is used by the log source. Must correspond to an existing protocol type.Required
type_idThe type of the log source. Must correspond to an existing log source type.Required
protocol_parametersThe list of protocol parameters corresponding with the selected protocol type ID. The syntax for this argument should follow: protocol_parameters="name_1=value_1,name_2=value_2,...,name_n=value_n" where each name should correspond to a name of a protocol parameter from the protocol type and each value should fit the type of the protocol parameter. The command qradar-log-source-protocol-types-list can be used to list all available protocol types.Required
target_event_collector_idThe ID of the event collector where the log source sends its data. The ID must correspond to an existing event collector.Required
sending_ipThe IP of the system which the log source is associated to, or fed by.Optional
descriptionThe description of the log source.Optional
coalesce_eventsDetermines if events collected by this log source are coalesced based on common properties. If each individual event is stored, then the condition is set to false. Defaults to true.Optional
enabledDetermines if the log source is enabled. Defaults to true.Optional
parsing_orderThe order in which log sources will parse if multiples exist with a common identifier.Optional
group_idsThe set of log source group IDs this log source is a member of. Each ID must correspond to an existing log source group. The command qradar-log-sources-groups-list can be used to list all available groups. See the Log Source Group API (https://ibmsecuritydocs.github.io/qradar_api_20.0/20.0--config-event_sources-log_source_management-log_source_groups-id-GET.html).Optional
credibilityOn a scale of 0-10, the amount of credibility that the QRadar administrator places on this log source.Optional
store_event_payloadIf the payloads of events that are collected by this log source are stored, the condition is set to 'true'. If only the normalized event records are stored, then the condition is set to 'false'.Optional
disconnected_log_collector_idThe ID of the disconnected log collector where this log source will run. The ID must correspond to an existing disconnected log collector.Optional
language_idThe language of the events that are being processed by this log source. Must correspond to an existing log source language.Optional
requires_deploySet to 'true' if you need to deploy changes to enable the log source for use; otherwise, set to 'false' if the log source is already active.Optional
wincollect_internal_destination_idThe internal WinCollect destination for this log source, if applicable. Log sources without an associated WinCollect agent have a null value. Must correspond to an existing WinCollect destination.Optional
wincollect_external_destination_idsThe set of external WinCollect destinations for this log source, if applicable. Log sources without an associated WinCollect agent have a null value. Each ID must correspond to an existing WinCollect destination.Optional
gatewayIf the log source is configured as a gateway, the condition is set to 'true'; otherwise, the condition is set to 'false'. A gateway log source is a standalone protocol configuration. The log source receives no events itself, and serves as a host for a protocol configuration that retrieves event data to feed other log sources. It acts as a "gateway" for events from multiple systems to enter the event pipeline.Optional

Context Output#

PathTypeDescription
QRadar.LogSource.SendingIPStringIP of the system which the log source is associated with, or fed by.
QRadar.LogSource.InternalBooleanWhether log source is internal.
QRadar.LogSource.ProtocolParametersUnknownProtocol parameters.
QRadar.LogSource.DescriptionStringDescription of the log source.
QRadar.LogSource.EnabledBooleanWhether log source is enabled.
QRadar.LogSource.GroupIDsNumberLog source group IDs.
QRadar.LogSource.CredibilityNumberCredibility of the log source.
QRadar.LogSource.IDNumberID of the log source.
QRadar.LogSource.ProtocolTypeIDNumberProtocol type used by log source.
QRadar.LogSource.CreationDateDateDate when log source was created.
QRadar.LogSource.NameStringName of the log source.
QRadar.LogSource.AutoDiscoveredBooleanWhether log source was auto discovered.
QRadar.LogSource.ModifiedDateDateDate when log source was last modified.
QRadar.LogSource.TypeIDNumberThe log source type.
QRadar.LogSource.LastEventTimeDateDate when the last event was received by the log source.
QRadar.LogSource.GatewayBooleanWhether log source is configured as a gateway.
QRadar.LogSource.StatusunknownStatus of the log source.
QRadar.LogSource.TargetEventCollectorIDNumberThe ID of the event collector where the log source sends its data.

qradar-log-source-languages-list#


Retrieves a list of log source languages.

Base Command#

qradar-log-source-languages-list

Input#

Argument NameDescriptionRequired
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter disconnected log collectors, e.g., "protocol=udp". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,name,protocol". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_20.0/20.0--config-event_sources-log_source_management-log_source_languages-GET.html.Optional
idID of a specific disconnected log collector.Optional

Context Output#

PathTypeDescription
QRadar.LogSourceLanguage.IDNumberThe ID of the language. This ID does not change across deployments.
QRadar.LogSourceLanguage.NameStringThe display name of the language.

qradar-log-source-protocol-types-list#


Retrieves the list of protocol types.

Base Command#

qradar-log-source-protocol-types-list

Input#

Argument NameDescriptionRequired
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter disconnected log collectors, e.g., "protocol=udp". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,name,protocol_parameters". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_20.0/20.0--config-event_sources-log_source_management-protocol_types-GET.html.Optional
idID of a specific disconnected log collector.Optional

Context Output#

PathTypeDescription
QRadar.LogSourceProtocolType.GatewaySupportedBooleanIf this protocol type can be configured for a gateway log source, the condition is set to 'true'; otherwise, the condition is set to 'false'. A gateway log source is a standalone protocol configuration. The log source receives no events itself, and serves as a host for a protocol configuration that retrieves event data to feed other log sources. It acts as a 'gateway' for events from multiple systems to enter the event pipeline. Not all protocol types can be used as a gateway if they don't support collecting event data from multiple sources.
QRadar.LogSourceProtocolType.IDNumberThe ID of the protocol type.
QRadar.LogSourceProtocolType.InboundBooleanIndicates whether this is an inbound protocol.
QRadar.LogSourceProtocolType.LatestVersionStringThe latest version available of the protocol type component.
QRadar.LogSourceProtocolType.NameStringThe unique name of the protocol type.
QRadar.LogSourceProtocolType.ParameterGroups.idNumberThe ID of the protocol parameter group.
QRadar.LogSourceProtocolType.ParameterGroups.nameStringThe name of the protocol parameter group.
QRadar.LogSourceProtocolType.ParameterGroups.requiredBooleanIf at least one parameter in this group must be set, the condition is set to true; otherwise, the condition is set to false.
QRadar.LogSourceProtocolType.Parameters.allowed_values.nameStringAn allowed value for the name of the parameter.
QRadar.LogSourceProtocolType.Parameters.allowed_values.valueStringAn allowed value for the value of the parameter.
QRadar.LogSourceProtocolType.Parameters.default_valueStringThe optional default parameter value.
QRadar.LogSourceProtocolType.Parameters.descriptionStringThe description of the parameter.
QRadar.LogSourceProtocolType.Parameters.group_idNumberThe ID of the protocol parameter group that this parameter belongs to. The group_id is optional.
QRadar.LogSourceProtocolType.Parameters.idNumberThe ID of the parameter.
QRadar.LogSourceProtocolType.Parameters.labelStringThe label of the parameter.
QRadar.LogSourceProtocolType.Parameters.max_lengthNumberThe maximum length of the parameter value for the following parameter types: STRING, TEXT, HOST, PASSWORD, REGEX. The max_length is optional.
QRadar.LogSourceProtocolType.Parameters.max_valueStringThe maximum of the parameter value for the following parameter types: INTEGER, REAL, DATE, TIME, DATETIME, INTERVAL. The max_value is optional.
QRadar.LogSourceProtocolType.Parameters.min_lengthNumberThe minimum length of the parameter value for the following parameter types: STRING, TEXT, HOST, PASSWORD, REGEX. The max_length is optional.
QRadar.LogSourceProtocolType.Parameters.min_valueStringThe minimum of the parameter value for the following parameter types: INTEGER, REAL, DATE, TIME, DATETIME, INTERVAL. The max_value is optional.
QRadar.LogSourceProtocolType.Parameters.nameStringThe name of the parameter.
QRadar.LogSourceProtocolType.Parameters.patternStringAn optional Java regex pattern restriction on the parameter value for the following parameter types: STRING, TEXT, HOST, PASSWORD.
QRadar.LogSourceProtocolType.Parameters.pattern_descriptionStringThe description of the pattern of the parameter.
QRadar.LogSourceProtocolType.Parameters.requiredBooleanIf the parameter is mandatory, the condition is set to true; otherwise, the condition is set to false.
QRadar.LogSourceProtocolType.Parameters.rules.affected_propertyStringThe affected property. For possible values visit: https://ibmsecuritydocs.github.io/qradar_api_20.0/20.0--config-event_sources-log_source_management-protocol_types-GET.html
QRadar.LogSourceProtocolType.Parameters.rules.affected_property_valueStringThe value to be applied to the affected parameter when the rule is triggered. For further info visit: https://ibmsecuritydocs.github.io/qradar_api_20.0/20.0--config-event_sources-log_source_management-protocol_types-GET.html
QRadar.LogSourceProtocolType.Parameters.rules.parameter_idNumberThe ID of the parameter affected by the rule.
QRadar.LogSourceProtocolType.Parameters.rules.trigger_parameter_idNumberThe ID of the trigger parameter.
QRadar.LogSourceProtocolType.Parameters.rules.trigger_patternStringThe pattern that triggers the rule. For example, if the value of trigger_parameter_id matches the regular expression of this field, the rule triggers.
QRadar.LogSourceProtocolType.Parameters.typeStringThe type of the parameter. Possible values are: STRING, TEXT, INTEGER, REAL, BOOLEAN, DATE, TIME, DATETIME, INTERVAL, HOST, PASSWORD, REGEX.
QRadar.LogSourceProtocolType.TestingCapabilities.can_accept_sample_eventsBooleanIndicates whether the protocol type can accept sample events (only applicable to inbound protocol types).
QRadar.LogSourceProtocolType.TestingCapabilities.can_collect_eventsBooleanIndicates whether the protocol type can collect test events.
QRadar.LogSourceProtocolType.TestingCapabilities.testableBooleanIndicates whether the protocol type is testable.
QRadar.LogSourceProtocolType.VersionStringThe version of the protocol type component.

qradar-disconnected-log-collectors-list#


Retrieves a list of disconnected log collectors.

Base Command#

qradar-disconnected-log-collectors-list

Input#

Argument NameDescriptionRequired
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter disconnected log collectors, e.g., "protocol=udp". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,name,protocol". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_20.0/20.0--config-event_sources-disconnected_log_collectors-GET.html.Optional
idID of a specific disconnected log collector.Optional

Context Output#

PathTypeDescription
QRadar.DisconnectedLogCollector.IDNumberThe ID of the disconnected log collector.
QRadar.DisconnectedLogCollector.NameStringThe name of the disconnected log Collector.
QRadar.DisconnectedLogCollector.DescriptionStringThe description of the disconnected log collector.
QRadar.DisconnectedLogCollector.ProtocolStringThe transport protocol used by the disconnected log collector to send events to QRadar. Possible values are TLS and UDP.
QRadar.DisconnectedLogCollector.UUIDStringThe UUID of the disconnected log collector.
QRadar.DisconnectedLogCollector.VersionStringThe version of the disconnected log collector.

qradar-log-source-update#


Updates an exising log source.

Base Command#

qradar-log-source-update

Input#

Argument NameDescriptionRequired
idThe ID of the log source.Required
nameThe unique name of the log source.Optional
protocol_type_idThe type of protocol that is used by the log source. Must correspond to an existing protocol type.Optional
type_idThe type of the log source. Must correspond to an existing log source type.Optional
protocol_parametersThe list of protocol parameters corresponding with the selected protocol type ID. The syntax for this argument should follow: protocol_parameters="name_1=value_1,name_2=value_2,...,name_n=value_n" where each name should correspond to a name of a protocol parameter from the protocol type and each value should fit the type of the protocol parameter. The command qradar-log-source-protocol-types-list can be used to list all available protocol types.Optional
target_event_collector_idThe ID of the event collector where the log source sends its data. The ID must correspond to an existing event collector.Optional
sending_ipThe IP of the system which the log source is associated to, or fed by.Optional
descriptionThe description of the log source.Optional
coalesce_eventsDetermines if events collected by this log source are coalesced based on common properties. If each individual event is stored, then the condition is set to false. Defaults to true.Optional
enabledDetermines if the log source is enabled. Defaults to true.Optional
parsing_orderThe order in which log sources will parse if multiples exist with a common identifier.Optional
group_idsThe set of log source group IDs this log source is a member of. Each ID must correspond to an existing log source group. The command qradar-log-sources-groups-list can be used to list all available groups. See the Log Source Group API (https://ibmsecuritydocs.github.io/qradar_api_20.0/20.0--config-event_sources-log_source_management-log_source_groups-id-GET.html).Optional
credibilityOn a scale of 0-10, the amount of credibility that the QRadar administrator places on this log source.Optional
store_event_payloadIf the payloads of events that are collected by this log source are stored, the condition is set to 'true'. If only the normalized event records are stored, then the condition is set to 'false'.Optional
disconnected_log_collector_idThe ID of the disconnected log collector where this log source will run. The ID must correspond to an existing disconnected log collector.Optional
language_idThe language of the events that are being processed by this log source. Must correspond to an existing log source language.Optional
requires_deploySet to 'true' if you need to deploy changes to enable the log source for use; otherwise, set to 'false' if the log source is already active.Optional
wincollect_internal_destination_idThe internal WinCollect destination for this log source, if applicable. Log sources without an associated WinCollect agent have a null value. Must correspond to an existing WinCollect destination.Optional
wincollect_external_destination_idsThe set of external WinCollect destinations for this log source, if applicable. Log Sources without an associated WinCollect agent have a null value. Each ID must correspond to an existing WinCollect destination.Optional
gatewayIf the log source is configured as a gateway, the condition is set to 'true'; otherwise, the condition is set to 'false'. A gateway log source is a standalone protocol configuration. The log source receives no events itself, and serves as a host for a protocol configuration that retrieves event data to feed other log sources. It acts as a "gateway" for events from multiple systems to enter the event pipeline.Optional

Context Output#

There is no context output for this command.

qradar-log-source-types-list#


Retrieves a list of log sources types.

Base Command#

qradar-log-source-types-list

Input#

Argument NameDescriptionRequired
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter disconnected log collectors, e.g., "protocol=udp". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,name,protocol". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_20.0/20.0--config-event_sources-log_source_management-log_source_types-GET.html.Optional
idID of a specific disconnected log collector.Optional

Context Output#

PathTypeDescription
QRadar.LogSourceTypesList.CustomBooleanThe condition is set to true if this is a custom log source type; otherwise, the condition is set to false.
QRadar.LogSourceTypesList.DefaultProtocolIDNumberThe ID of the default protocol type for this log source type. The ID must correspond to an existing protocol type. See the Protocol Type API (/api/config/event_sources/log_source_management/protocol_types/).
QRadar.LogSourceTypesList.IDNumberThe ID of the log source type.
QRadar.LogSourceTypesList.InternalBooleanThe condition is set to true if the log source type is an internal log source type (for example, System Notification, SIM Audit, Asset Profiler, and so on) for which log sources cannot be created, edited, or deleted. If this is a user configurable log source type, the condition is set to false.
QRadar.LogSourceTypesList.LatestVersionStringThe latest available version of the log source type component.
QRadar.LogSourceTypesList.LogSourceExtensionIDNumberThe log source extension that is associated with the log source type. The ID must correspond to an existing log source extension or be set to null. See the Log Source Extension API (/api/config/event_sources/log_source_management/log_source_extensions/).
QRadar.LogSourceTypesList.NameStringThe unique name of the log source type. The name is not localized.
QRadar.LogSourceTypesList.protocol_types.documentedBooleanIndicates whether the protocol is documented/fully supported for this log source type.
QRadar.LogSourceTypesList.protocol_types.protocol_idNumberID of the protocol type.
QRadar.LogSourceTypesList.supported_language_idsListThe IDs of the languages supported by this log source type. Each ID must correspond to an existing log source language. See the Log Source Language API: https://ibmsecuritydocs.github.io/qradar_api_20.0/20.0--config-event_sources-log_source_management-log_source_languages-id-GET.html
QRadar.LogSourceTypesList.uuidStringA UUID string of the log source type.
QRadar.LogSourceTypesList.versionStringThe log source type plugin version.

qradar-log-source-groups-list#


Retrieves a list of log source languages.

Base Command#

qradar-log-source-groups-list

Input#

Argument NameDescriptionRequired
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter disconnected log collectors, e.g., "protocol=udp". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,name,protocol". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_20.0/20.0--config-event_sources-log_source_management-log_source_groups-GET.html.Optional
idID of a specific disconnected log collector.Optional

Context Output#

PathTypeDescription
QRadar.LogSourceGroup.AssignableBooleanIf log sources can be assigned to this group, the condition is set to true; otherwise, the condition is set to false. Log sources cannot be assigned directly to the "Other" group or to the root log source group node.
QRadar.LogSourceGroup.ChildGroupIDsListThe list of IDs of any child log source groups that belong to this group.
QRadar.LogSourceGroup.DescriptionStringThe description of the group.
QRadar.LogSourceGroup.IDNumberThe ID of the group.
QRadar.LogSourceGroup.ModificationDateNumberThe date and time (expressed as milliseconds since epoch) that the group was last modified.
QRadar.LogSourceGroup.NameStringThe name of the group.
QRadar.LogSourceGroup.OwnerStringThe name of the user who owns the group.
QRadar.LogSourceGroup.ParentIDNumberThe ID of the group's parent group. The root node group has a null parent_ID.

qradar-event-collectors-list#


Retrieves a list of event collectors.

Base Command#

qradar-event-collectors-list

Input#

Argument NameDescriptionRequired
rangeRange of results to return (e.g.: 0-20, 3-5, 3-3). Default is 0-49.Optional
filterQuery by which to filter event collectors, e.g., "auto_discovered=false". For reference, see: https://www.ibm.com/support/knowledgecenter/SS42VS_SHR/com.ibm.qradarapi.doc/c_rest_api_filtering.html.Optional
fieldsComma-separated list of fields to retrieve in the response. Fields that are not explicitly named are excluded. E.g., "id,name,status". Specify subfields in brackets and multiple fields in the same object separated by commas. For a full list of available fields, see: https://ibmsecuritydocs.github.io/qradar_api_20.0/20.0--config-event_sources-event_collectors-GET.html.Optional
idID of a specific event collector.Optional

Context Output#

PathTypeDescription
QRadar.EventCollector.NameStringThe display name of the event collector. Not localized because it is derived from a process/component name and the hostname of the managed host it runs on, neither of which are translatable.
QRadar.EventCollector.HostIDNumberThe ID of the host on which this event collector process runs.
QRadar.EventCollector.ComponentNameStringThe name of the component backing this event collector process. Also contained in the "name" field.
QRadar.EventCollector.IDNumberThe unique ID of the event collector.