Ibm Qradar

ibm qradar is a leading siem platform that provides real time threat detection and security intelligence ibm qradar is a comprehensive security information and event management (siem) platform that provides real time visibility and analysis of security data the ibm qradar connector for swimlane turbine allows users to automate siem operations, enhance threat detection, and streamline incident response by integrating with ibm qradar, swimlane turbine users can efficiently manage offenses, perform advanced searches, and maintain reference data, thereby improving security posture and operational efficiency prerequisites before you can use the ibm qradar connector for turbine, you'll need access to the ibm qradar api this requires the following an api key authentication using the following parameters url the endpoint url for accessing the ibm qradar api api key a unique key provided by ibm qradar for authenticating api requests asset setup if you want to use a specific version of api, please use the api version parameter in the asset by default, the api uses the latest version capabilities the ibm qradar integration provides the following capabilities add/update data in reference map add/update data in reference table create reference map of sets create reference map create reference table get offense saved search get reference map of sets list assets list reference maps list reference tables list rules get local destination address get log source types create log source get log sources and so on get offenses and events fetches qradar offenses, retrieves associated events via aql searches, parses iocs, and returns enriched teds format alerts endpoints used method endpoint purpose get /api/siem/offenses retrieve offenses with optional filter, sort, and fields post /api/ariel/searches submit aql search for each offense's events get /api/ariel/searches/{search id} poll search status until completed, error, or cancelled get /api/ariel/searches/{search id}/results fetch up to 100 events for a completed search delete /api/ariel/searches/{search id} clean up search after results are retrieved or on timeout notes for more information on ariel query language (aql), see ibm aql https //www ibm com/support/knowledgecenter/ss42vs 7 3 1/com ibm qradar doc/b qradar aql pdf api documentation https //ibmsecuritydocs github io/qradar api 14 0/ additional documentation ibm qradar connector documentation https //docs swimlane com/connectors/ibm qradaribm qradar api documentation https //www ibm com/support/knowledgecenter/ss42vs 7 3 1/com ibm qradar doc/b qradar aql pdfibm qradar authentication guide https //docs swimlane com/authentication guides/ibm qradar configurations ibm qradar api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required sec api key string required api version api version string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add/update data in reference map add or update data in a specific ibm qradar reference map using the provided map name and data endpoint url /api/reference data/maps/bulk load/{{name}} method post input argument name type required description path parameters name string required parameters for the add/update data in reference map action parameters fields string optional parameters for the add/update data in reference map action data array optional response data input example {"path parameters" {"name" "example name"},"parameters" {"fields" "string"},"data" \[]} output parameter type description status code number http status code of the response reason string response reason phrase creation time number time value element type string type of the resource name string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource output example {"status code" 201,"response headers" {},"reason" "created","json body" {"creation time" 42,"element type" "string \<one of aln, num, ip, port, alnic, date>","name" "string","number of elements" 42,"time to live" "string","timeout type" "string \<one of unknown, first seen, last seen>"}} add/update data in reference table add or update data in a specified ibm qradar reference table using the 'name' identifier and provided 'data' endpoint url /api/reference data/tables/bulk load/{{name}} method post input argument name type required description path parameters name string required parameters for the add/update data in reference table action parameters fields string optional parameters for the add/update data in reference table action data array optional response data input example {"path parameters" {"name" "example name"},"parameters" {"fields" "string"},"data" \[]} output parameter type description status code number http status code of the response reason string response reason phrase creation time number time value element type string type of the resource name string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource output example {"status code" 201,"response headers" {},"reason" "created","json body" {"creation time" 42,"element type" "string \<one of aln, num, ip, port, alnic, date>","name" "string","number of elements" 42,"time to live" "string","timeout type" "string \<one of unknown, first seen, last seen>"}} collect events and build alerts collects aql search results for qradar offenses, parses ioc observables, and builds structured alert objects ready for ingestion endpoint url api/ariel/searches method get input argument name type required description parameters offenses array optional array of qradar offense objects from get offenses and submit searches parameters search ids array optional array of {offense id, search id} pairs from get offenses and submit searches parameters search ids offense id number optional parameters for the collect events and build alerts action parameters search ids search id string optional parameters for the collect events and build alerts action parameters fetch user emails boolean optional when true, calls get /api/config/access/users to resolve the email for the username in each offense's assigned to field parameters ioc types string optional comma separated list of ioc types to extract defaults to all types when omitted parameters domains ignore list string optional comma separated list of domains to exclude from observable extraction parameters ip cidr ignore list string optional comma separated list of cidr ranges to exclude from observable extraction parameters regex ignore string optional regex pattern observables matching this pattern are excluded from extraction parameters ioc ignore paths array optional array of slash separated field paths in event objects to exclude before ioc parsing supports wildcards input example {"parameters" {"offenses" \[],"search ids" \[{"offense id" 123,"search id" "string"}],"fetch user emails"\ true,"ioc types" "string","domains ignore list" "string","ip cidr ignore list" "string","regex ignore" "string","ioc ignore paths" \["string"]}} output parameter type description status code number http status code of the response alerts array array of structured alert objects built from qradar offenses and their aql event results alerts alert uid string unique identifier alerts alert title string output field alerts alert title alerts alert description string output field alerts alert description alerts alert severity string output field alerts alert severity alerts alert categories array output field alerts alert categories alerts alert provider string unique identifier alerts alert created timestamp string output field alerts alert created timestamp alerts alert updated timestamp string output field alerts alert updated timestamp alerts alert end timestamp string output field alerts alert end timestamp alerts alert ingested timestamp string output field alerts alert ingested timestamp alerts is new alert boolean output field alerts is new alert alerts alert rules array output field alerts alert rules alerts alert impacted ip addresses array output field alerts alert impacted ip addresses alerts alert impacted usernames array name of the resource alerts alert impacted hostnames array name of the resource alerts assigned to string username the offense is assigned to in qradar alerts assigned to email string email of the assigned to user, resolved via get /api/config/access/users empty string when fetch user emails is false or user has no email alerts observables array ioc observables extracted from event data alerts observables observable type string type of the resource alerts observables observable value string value for the parameter alerts raw alert array output field alerts raw alert total processed number number of offenses processed in this invocation latest updated timestamp number epoch ms of the most recently updated offense in this batch output example {"alerts" \[{"alert uid" "string","alert title" "string","alert description" "string","alert severity" "string","alert categories" \[],"alert provider" "string","alert created timestamp" "string","alert updated timestamp" "string","alert end timestamp" "string","alert ingested timestamp" "string","is new alert"\ true,"alert rules" \[],"alert impacted ip addresses" \[],"alert impacted usernames" \[],"alert impacted hostnames" \[]}],"total processed" 123,"latest updated timestamp" 123,"pending count" 123 create reference map initiate the creation of a new reference map in ibm qradar using the provided 'name' parameter endpoint url /api/reference data/maps method post input argument name type required description parameters name string required parameters for the create reference map action parameters key label string optional parameters for the create reference map action parameters value label string optional parameters for the create reference map action parameters element type string optional parameters for the create reference map action parameters timeout type string optional parameters for the create reference map action parameters time to live string optional parameters for the create reference map action parameters fields string optional parameters for the create reference map action input example {"parameters" {"name" "example name","key label" "string","value label" "string","element type" "string","timeout type" "string","time to live" "string","fields" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase collection id number unique identifier creation time number time value element type string type of the resource key label string output field key label name string name of the resource namespace string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource value label string value for the parameter output example {"status code" 201,"response headers" {},"reason" "created","json body" {"collection id" 42,"creation time" 42,"element type" "string \<one of aln, num, ip, port, alnic, date>","key label" "string","name" "string","namespace" "string \<one of private, shared, tenant>","number of elements" 42,"time to live" "string","timeout type" "string \<one of unknown, first seen, last seen>","value label" "string"}} create reference map of sets create a new reference map of sets in ibm qradar, requiring a specified name and element type for setup endpoint url api/reference data/map of sets method post input argument name type required description parameters name string required the name of the reference map of sets to create parameters element type string required the element type for the values allowed in the reference map of sets parameters key label string optional the label to describe the keys parameters value label string optional the label to describe the data values parameters timeout type string optional this indicates if the time to live interval is based on when the data was first seen or last seen parameters time to live string optional the time to live interval parameters fields string optional use this parameter to specify which fields you would like to get back in the response input example {"parameters" {"name" "example name","element type" "string","key label" "string","value label" "string","timeout type" "string","time to live" "string","fields" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase creation time number time value element type string type of the resource key label string output field key label name string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource value label string value for the parameter output example {"status code" 201,"response headers" {},"reason" "ok","json body" {"creation time" 42,"element type" "aln","key label" "string","name" "string","number of elements" 42,"time to live" "string","timeout type" "first seen","value label" "string"}} create reference table create a new reference table in ibm qradar with a specified name and element type endpoint url /api/reference data/tables method post input argument name type required description parameters name string required parameters for the create reference table action parameters outer key label string optional parameters for the create reference table action parameters key name types string optional parameters for the create reference table action parameters element type string required parameters for the create reference table action parameters timeout type string optional parameters for the create reference table action parameters time to live string optional parameters for the create reference table action parameters fields string optional parameters for the create reference table action input example {"parameters" {"name" "example name","outer key label" "string","key name types" "example name","element type" "string","timeout type" "string","time to live" "string","fields" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase collection id number unique identifier creation time number time value element type string type of the resource key label string output field key label key name types object name of the resource key name types string string name of the resource name string name of the resource namespace string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource output example {"status code" 201,"response headers" {},"reason" "created","json body" {"collection id" 42,"creation time" 42,"element type" "string \<one of aln, num, ip, port, alnic, date>","key label" "string","key name types" {"string" "string \<one of aln, num, ip, port, alnic, date>"},"name" "string","namespace" "string \<one of private, shared, tenant>","number of elements" 42,"time to live" "string","timeout type" "string \<one of unknown, first seen, last seen>"}} get custom properties retrieves a list of event regex custom properties defined in ibm qradar, including property name, type, and whether it is used by the rule engine endpoint url api/config/event sources/custom properties/regex properties method get input argument name type required description headers object optional http headers for the request headers range string optional restricts the number of custom properties returned follows qradar range header format parameters filter string optional optional qradar filter expression to restrict the list of custom properties returned example property type = 'string' parameters fields string optional optional comma separated list of fields to include in the response (ibm field projection syntax) if omitted, all fields are returned input example {"headers" {"range" "string"},"parameters" {"filter" "string","fields" "string"}} output parameter type description status code number http status code of the response custom properties array list of event regex custom property objects from get /api/config/event sources/custom properties/regex properties each object includes id, identifier, name, property type, use for rule engine, description, username, datetime format, locale, and auto discovered custom properties id number unique identifier custom properties identifier string unique identifier custom properties name string the field name to use in aql select clause custom properties property type string one of string, numeric, ip, port, time custom properties use for rule engine boolean true if parsed at ingest time (indexed) custom properties description string output field custom properties description custom properties username string name of the resource custom properties datetime format string output field custom properties datetime format custom properties locale string output field custom properties locale custom properties auto discovered boolean output field custom properties auto discovered output example {"custom properties" \[{"id" 123,"identifier" "string","name" "example name","property type" "string","use for rule engine"\ true,"description" "string","username" "example name","datetime format" "string","locale" "string","auto discovered"\ true}]} get deployed users retrieves a list of all deployed users from qradar via get /api/config/access/users returns all users when called with admin capability, users without admin when called with saasadmin, or only the current user otherwise endpoint url api/config/access/users method get input argument name type required description headers object optional http headers for the request headers range string optional restricts the number of users returned follows qradar range header format (e g items=0 49) parameters current user boolean optional when true, only returns the caller's user if called with an authorized service, no user will be returned parameters filter string optional optional restricts the elements in the list based on the contents of various fields parameters sort string optional optional used to sort the elements in the list parameters fields string optional optional comma separated list of fields to include in the response fields not named are excluded parameters page number number optional 1 based page number to fetch use with page size for turbine loop pagination takes priority over the range header if omitted, range header behaviour applies parameters page size number optional number of users per page when using page number defaults to 50 if not set input example {"headers" {"range" "string"},"parameters" {"current user"\ true,"filter" "string","sort" "string","fields" "string","page number" 123,"page size" 123}} output parameter type description status code number http status code of the response users array array of deployed user objects from get /api/config/access/users users id number unique identifier users username string name of the resource users email string output field users email users description string output field users description users user role id number unique identifier users security profile id number unique identifier users locale id string unique identifier users enable popup notifications boolean output field users enable popup notifications users old password string output field users old password users password string output field users password users password creation time number time value users tenant id number unique identifier users allow system authentication fallback boolean output field users allow system authentication fallback users local only account boolean count value users inactivity timeout number output field users inactivity timeout users notification flag string output field users notification flag users show awf default dashboard string output field users show awf default dashboard users display theme string output field users display theme total users fetched number output field total users fetched total users available number total users matching the filter (from content range header) page number number output field page number page size number output field page size total pages number output field total pages output example {"users" \[{"id" 123,"username" "example name","email" "user\@example com","description" "string","user role id" 123,"security profile id" 123,"locale id" "string","enable popup notifications"\ true,"old password" "string","password" "string","password creation time" 123,"tenant id" 123,"allow system authentication fallback"\ true,"local only account"\ true,"inactivity timeout" 123}],"total users fetched" 123,"total users available" 123,"page number" 123,"page size" 123,"total pages" 123,"has more"\ t get offense saved search retrieve a specific saved search for offenses in ibm qradar using the provided search id endpoint url api/siem/offense saved searches/{{id}} method get input argument name type required description path parameters id number required parameters for the get offense saved search action headers object optional http headers for the request headers range string optional use this parameter to restrict the number of elements that are returned in the list to a specified range parameters filter string optional this parameter is used to restrict the elements in a list base on the contents of various fields parameters fields string optional use this parameter to specify which fields you would like to get back in the response input example {"path parameters" {"id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier name string name of the resource owner string output field owner output example {"status code" 201,"response headers" {},"reason" "ok","json body" {"id" 42,"name" "string","owner" "string"}} get offenses and submit searches fetch ibm qradar offenses and submit aql event searches, returning offenses with optional notes and search ids for event collection and alert building endpoint url api/siem/offenses method get input argument name type required description headers object optional http headers for the request headers range string optional restricts the number of offenses returned follows qradar range header format parameters page number number optional 1 based page number to fetch use with page size for turbine loop pagination takes priority over the range header if omitted, range header behaviour applies parameters page size number optional number of offenses per page when using page number defaults to 50 if not set parameters filter string optional qradar filter expression applied to the offenses query if omitted, all offenses within the specified range are returned parameters sort string optional field to sort the offenses by parameters fields string optional optional comma separated list forwarded to ibm qradar get /api/siem/offenses as the fields query parameter (ibm field projection syntax) if omitted, qradar returns full offense objects with all default fields parameters include notes boolean optional when true, fetches notes for each offense and attaches them as offense notes (array of note objects note text, create time, id, username) fetches run in parallel parameters custom fields boolean optional when true, queries qradar for custom field definitions and their log source type mappings, then appends the relevant custom field names to the aql select clause for each offense based on its log source types custom fields are not returned by select alone adds two api calls per invocation (fetched once, not per offense) input example {"headers" {"range" "string"},"parameters" {"page number" 123,"page size" 123,"filter" "string","sort" "string","fields" "string","include notes"\ true,"custom fields"\ true}} output parameter type description status code number http status code of the response offenses array qradar offense objects from get /api/siem/offenses; full fields when parameters fields omitted includes id, description, assigned to, categories, severity, status, rules, log sources, counts, networks, timestamps include notes adds notes\[] search ids array array of {offense id, search id} pairs for submitted aql searches search ids offense id number unique identifier search ids search id string unique identifier total offenses fetched number number of offenses fetched in this call total offenses available number total offenses in qradar matching the filter (from content range header) page number number output field page number page size number output field page size total pages number output field total pages has more boolean true if there are more pages to fetch use as turbine loop condition message string set to "no data in array" when no offenses are returned output example {"offenses" \[],"search ids" \[{"offense id" 123,"search id" "string"}],"total offenses fetched" 123,"total offenses available" 123,"page number" 123,"page size" 123,"total pages" 123,"has more"\ true,"message" "string"} get reference map of sets retrieve a comprehensive list of all reference map sets available in ibm qradar endpoint url api/reference data/map of sets method get input argument name type required description headers object optional http headers for the request headers range string optional use this parameter to restrict the number of elements that are returned in the list to a specified range parameters filter string optional this parameter is used to restrict the elements in a list base on the contents of various fields parameters fields string optional use this parameter to specify which fields you would like to get back in the response input example {"headers" {"range" "string"},"parameters" {"filter" "string","fields" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase creation time number time value element type string type of the resource key label string output field key label name string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource value label string value for the parameter output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"creation time" 42,"element type" "string \<one of aln, num, ip, port, alnic, date>","key label" "string","name" "string","number of elements" 42,"time to live" "string","timeout type" "string \<one of unknown, first seen, last seen>","value label" "string"}} list assets retrieve a comprehensive overview of all network elements from the ibm qradar asset model endpoint url api/asset model/assets method get input argument name type required description parameters filter string optional this parameter is used to restrict the elements in a list base on the contents of various fields parameters fields string optional use this parameter to specify which fields you would like to get back in the response fields that are not named are excluded specify subfields in brackets and multiple fields in the same object are separated by commas parameters sort string optional this parameter is used to sort the elements in a list headers object optional http headers for the request headers range string optional use this parameter to restrict the number of elements that are returned in the list to a specified range the list is indexed starting at zero input example {"parameters" {"filter" "string","fields" "string","sort" "string"},"headers" {"range" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"vulnerability count" 42,"interfaces" \[],"risk score sum" 42 5,"hostnames" \[],"id" 42,"domain id" 42,"properties" \[],"users" \[],"products" \[]}]} list reference maps retrieve all available reference maps from ibm qradar to enhance context and decision making endpoint url /api/reference data/maps method get input argument name type required description parameters filter string optional parameters for the list reference maps action parameters fields string optional parameters for the list reference maps action headers object optional http headers for the request headers range string optional http headers for the request input example {"parameters" {"filter" "string","fields" "string"},"headers" {"range" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"collection id" 42,"creation time" 42,"element type" "string \<one of aln, num, ip, port, alnic, date>","key label" "string","name" "string","namespace" "string \<one of private, shared, tenant>","number of elements" 42,"time to live" "string","timeout type" "string \<one of unknown, first seen, last seen>","value label" "string"}]} list reference tables retrieve all available reference tables from ibm qradar to enhance query and analysis capabilities endpoint url /api/reference data/tables method get input argument name type required description parameters filter string optional parameters for the list reference tables action parameters fields string optional parameters for the list reference tables action headers object optional http headers for the request headers range string optional http headers for the request input example {"parameters" {"filter" "string","fields" "string"},"headers" {"range" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"collection id" 42,"creation time" 42,"element type" "string \<one of aln, num, ip, port, alnic, date>","key label" "string","key name types" {},"name" "string","namespace" "string \<one of private, shared, tenant>","number of elements" 42,"time to live" "string","timeout type" "string \<one of unknown, first seen, last seen>"}]} list rules retrieve a comprehensive list of rules from ibm qradar for analysis or modification endpoint url /api/analytics/rules method get input argument name type required description parameters filter string optional parameters for the list rules action parameters fields string optional parameters for the list rules action headers object optional http headers for the request headers range string optional http headers for the request input example {"parameters" {"filter" "string","fields" "string"},"headers" {"range" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"average capacity" 42,"base capacity" 42,"base host id" 42,"capacity timestamp" 42,"creation date" 42,"enabled"\ true,"id" 42,"identifier" "string","linked rule identifier" "string","modification date" 42,"name" "string","origin" "string \<one of system, override, user>","owner" "string","type" "string \<one of event, flow, common, offense>"}]} get local destination address retrieve a specific local destination address in ibm qradar using the provided address id endpoint url api/siem/local destination addresses/{{local destination address id}} method get input argument name type required description path parameters local destination address id string required parameters for the get local destination address action parameters fields string optional parameters for the get local destination address action input example {"parameters" {"fields" "field one (field two, field three),field four"},"path parameters" {"local destination address id" "2"}} output parameter type description status code number http status code of the response reason string response reason phrase event flow count number count value source address ids array unique identifier first event flow seen number output field first event flow seen last event flow seen number output field last event flow seen magnitude number output field magnitude id number unique identifier offense ids array unique identifier local destination ip string output field local destination ip domain id number unique identifier network string output field network output example {"event flow count" 123,"source address ids" \[123],"first event flow seen" 123,"last event flow seen" 123,"magnitude" 123,"id" 123,"offense ids" \[123],"local destination ip" "string","domain id" 123,"network" "string"} get log source types retrieve a comprehensive list of log source types from ibm qradar for improved data categorization and analysis endpoint url api/config/event sources/log source management/log source types method get input argument name type required description parameters fields string optional parameters for the get log source types action parameters filter string optional parameters for the get log source types action headers object optional http headers for the request headers range string optional http headers for the request input example {"parameters" {"fields" "field one (field two, field three),field four","filter" "log source extension id = '0'"},"headers" {"range" "items=0 49"}} output parameter type description status code number http status code of the response reason string response reason phrase output example \[] create log source create a new log source in ibm qradar using the provided configuration details endpoint url api/config/event sources/log source management/log sources method post input argument name type required description parsing order number optional parameter for create log source internal boolean optional parameter for create log source gateway boolean optional parameter for create log source protocol parameters array optional parameters for the create log source action protocol parameters id number optional parameters for the create log source action protocol parameters value string optional parameters for the create log source action protocol parameters name string optional parameters for the create log source action target event collector id number optional unique identifier log source extension id object optional unique identifier enabled boolean optional parameter for create log source coalesce events boolean optional parameter for create log source name string optional name of the resource wincollect external destination ids object optional unique identifier description string optional parameter for create log source sending ip object optional parameter for create log source language id number optional unique identifier credibility number optional parameter for create log source last event time number optional time value wincollect internal destination id object optional unique identifier average eps number optional parameter for create log source disconnected log collector id object optional unique identifier requires deploy boolean optional parameter for create log source auto discovered boolean optional parameter for create log source type id number optional unique identifier protocol type id number optional unique identifier input example {"json body" {"parsing order" 0,"internal"\ false,"gateway"\ false,"protocol parameters" \[{"id" 0,"value" "facf\ c4b8 9937 5f98\ e78a\ e48f\ e34a\ b143","name" "identifier"}],"target event collector id" 7,"log source extension id"\ null,"enabled"\ true,"coalesce events"\ true,"name" "swinlane test facf\ c4b8 9937 5f98\ e78a\ e48f\ e34a\ b","wincollect external destination ids"\ null,"description" "swinlane test","sending ip"\ null,"language id" 1,"credibility" 8,"last event time" 0,"wincollect internal destination id"\ null,"average eps" 0,"disconnected log collector id"\ null,"requires deploy"\ true,"auto discovered"\ false,"type id" 115,"protocol type id" 0,"store event payload"\ true,"group ids" \[0]}} output parameter type description status code number http status code of the response reason string response reason phrase sending ip object output field sending ip internal boolean output field internal protocol parameters array parameters for the create log source action protocol parameters name string parameters for the create log source action protocol parameters id number parameters for the create log source action protocol parameters value string parameters for the create log source action description string output field description coalesce events boolean output field coalesce events enabled boolean output field enabled parsing order number output field parsing order average eps number output field average eps group ids array unique identifier credibility number output field credibility id number unique identifier store event payload boolean output field store event payload target event collector id number unique identifier protocol type id number unique identifier language id number unique identifier creation date number date value wincollect external destination ids object unique identifier log source extension id object unique identifier name string name of the resource modified date number date value output example {"sending ip" {},"internal"\ true,"protocol parameters" \[{"name" "example name","id" 123,"value" "string"}],"description" "string","coalesce events"\ true,"enabled"\ true,"parsing order" 123,"average eps" 123,"group ids" \[123],"credibility" 123,"id" 123,"store event payload"\ true,"target event collector id" 123,"protocol type id" 123,"language id" 123} get log sources obtain a comprehensive list of log sources from ibm qradar for improved analysis and monitoring endpoint url api/config/event sources/log source management/log sources method get input argument name type required description parameters fields string optional parameters for the get log sources action parameters filter string optional parameters for the get log sources action parameters sort string optional parameters for the get log sources action headers object optional http headers for the request headers range string optional http headers for the request headers x qrd encryption algorithm string optional http headers for the request headers x qrd encryption password string optional http headers for the request input example {"parameters" {"fields" "field one (field two, field three),field four","filter" "field one = 'string' and field two > 42 or not field three in (1, 2, 3)","sort" "+field one, object(sub field)"},"headers" {"range" "items=0 49","x qrd encryption algorithm" "aes256","x qrd encryption password" "testpassword"}} output parameter type description status code number http status code of the response reason string response reason phrase output example \[] patch log sources apply patches to multiple log sources in ibm qradar, enabling creation, updates, and deletions in one transaction returns a task resource location endpoint url api/config/event sources/log source management/log sources method patch output parameter type description status code number http status code of the response reason string response reason phrase output example {} get offenses pulls a detailed list of offenses from ibm qradar for in depth analysis and monitoring endpoint url api/siem/offenses method get input argument name type required description headers object optional http headers for the request headers range string optional use this parameter to restrict the number of elements that are returned in the list to a specified range parameters filter string optional this parameter is used to restrict the elements in a list base on the contents of various fields parameters sort string optional this parameter is used to sort the elements in a list parameters fields string optional use this parameter to specify which fields you would like to get back in the response input example {"parameters" {"filter" "last persisted time >= 1668526028000","sort" "+field one, object(sub field)","fields" "field one (field two, field three),field four"},"headers" {"range" "items=0 49"}} output parameter type description status code number http status code of the response reason string response reason phrase output example \[] get offense by id retrieve detailed properties of a specific offense in ibm qradar using the provided offense id endpoint url api/siem/offenses/{{offense id}} method get input argument name type required description path parameters offense id number required parameters for the get offense by id action parameters fields string optional parameters for the get offense by id action input example {"parameters" {"fields" "field one (field two, field three),field four"},"path parameters" {"offense id" 7544}} output parameter type description status code number http status code of the response reason string response reason phrase last persisted time number time value username count number name of the resource description string output field description rules array output field rules rules id number unique identifier rules type string type of the resource event count number count value flow count number count value assigned to object output field assigned to security category count number count value follow up boolean output field follow up source address ids array unique identifier source count number count value inactive boolean output field inactive protected boolean output field protected closing user string output field closing user destination networks array output field destination networks source network string output field source network category count number count value close time number time value remote destination count number count value start time number time value magnitude number output field magnitude output example {"last persisted time" 123,"username count" 123,"description" "string","rules" \[{"id" 123,"type" "string"}],"event count" 123,"flow count" 123,"assigned to" {},"security category count" 123,"follow up"\ true,"source address ids" \[123],"source count" 123,"inactive"\ true,"protected"\ true,"closing user" "string","destination networks" \["string"]} create offense note create a custom note for a specified offense in ibm qradar using the unique offense id and provided note text endpoint url api/siem/offenses/{{offense id}}/notes method post input argument name type required description path parameters offense id number required parameters for the create offense note action parameters note text string required parameters for the create offense note action parameters fields string optional parameters for the create offense note action input example {"parameters" {"note text" "test note","fields" "field one (field two, field three),field four"},"path parameters" {"offense id" 7544}} output parameter type description status code number http status code of the response reason string response reason phrase note text string output field note text create time number time value id number unique identifier username string name of the resource output example {"note text" "string","create time" 123,"id" 123,"username" "example name"} get offense notes retrieve all notes linked to a specific offense in ibm qradar using the 'offense id' endpoint url api/siem/offenses/{{offense id}}/notes method get input argument name type required description path parameters offense id number required parameters for the get offense notes action headers object optional http headers for the request headers range string optional http headers for the request parameters fields string optional parameters for the get offense notes action parameters filter string optional parameters for the get offense notes action input example {"parameters" {"fields" "field one (field two, field three),field four","filter" "field one = 'string' and field two > 42 or not field three in (1, 2, 3)"},"path parameters" {"offense id" 7544},"headers" {"range" "items=0 49"}} output parameter type description status code number http status code of the response reason string response reason phrase output example \[] update offense update an existing offense in ibm qradar using the specified offense id endpoint url api/siem/offenses/{{offense id}} method post input argument name type required description path parameters offense id number required parameters for the update offense action parameters assigned to string optional parameters for the update offense action parameters closing reason id number optional parameters for the update offense action parameters fields string optional parameters for the update offense action parameters follow up boolean optional parameters for the update offense action parameters protected boolean optional parameters for the update offense action parameters status string optional parameters for the update offense action input example {"parameters" {"assigned to" "username","closing reason id" 42,"fields" "field one (field two, field three),field four","follow up"\ true,"protected"\ true,"status" "open"},"path parameters" {"offense id" 7544}} output parameter type description status code number http status code of the response reason string response reason phrase last persisted time number time value username count number name of the resource description string output field description rules array output field rules rules id number unique identifier rules type string type of the resource event count number count value flow count number count value assigned to object output field assigned to security category count number count value follow up boolean output field follow up source address ids array unique identifier source count number count value inactive boolean output field inactive protected boolean output field protected closing user string output field closing user destination networks array output field destination networks source network string output field source network category count number count value close time number time value remote destination count number count value start time number time value magnitude number output field magnitude output example {"last persisted time" 123,"username count" 123,"description" "string","rules" \[{"id" 123,"type" "string"}],"event count" 123,"flow count" 123,"assigned to" {},"security category count" 123,"follow up"\ true,"source address ids" \[123],"source count" 123,"inactive"\ true,"protected"\ true,"closing user" "string","destination networks" \["string"]} create query initiate a new ariel search in ibm qradar using an aql query expression with specified input parameters endpoint url api/ariel/searches method post input argument name type required description parameters query expression string optional parameters for the create query action parameters saved search id number optional parameters for the create query action input example {"parameters" {"query expression" "select sourceip from events","saved search id" 42}} output parameter type description status code number http status code of the response reason string response reason phrase cursor id string unique identifier status string status value compressed data file count number response data compressed data total size number response data data file count number response data data total size number response data index file count number count value index total size number output field index total size processed record count number count value desired retention time msec number output field desired retention time msec progress number output field progress progress details array output field progress details progress details file name string name of the resource progress details file string output field progress details file query execution time number time value query string string output field query string record count number count value size on disk number output field size on disk save results boolean result of the operation completed boolean output field completed subsearch ids array unique identifier subsearch ids file name string unique identifier subsearch ids file string unique identifier output example {"cursor id" "string","status" "active","compressed data file count" 123,"compressed data total size" 123,"data file count" 123,"data total size" 123,"index file count" 123,"index total size" 123,"processed record count" 123,"desired retention time msec" 123,"progress" 123,"progress details" \[{"file name" "example name","file" "string"}],"query execution time" 123,"query string" "string","record count" 123} get query results retrieve the results of a specific ariel search in ibm qradar using the provided unique search id endpoint url api/ariel/searches/{{search id}}/results method get input argument name type required description path parameters search id string required parameters for the get query results action headers object optional http headers for the request headers range string optional http headers for the request input example {"path parameters" {"search id" "f048831a 434a 448f 81c9 d0815e40fcca"},"headers" {"range" "items=0 49"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {} get query status retrieve the current status of a specific ibm qradar query using the provided search id endpoint url api/ariel/searches/{{search id}} method get input argument name type required description path parameters search id string required parameters for the get query status action headers object optional http headers for the request headers prefer string optional http headers for the request input example {"path parameters" {"search id" "24e5a350 5e21 43c4 9b33 56534895c833"},"headers" {"prefer" "wait=1"}} output parameter type description status code number http status code of the response reason string response reason phrase cursor id string unique identifier status string status value compressed data file count number response data compressed data total size number response data data file count number response data data total size number response data index file count number count value index total size number output field index total size processed record count number count value desired retention time msec number output field desired retention time msec progress number output field progress progress details array output field progress details progress details file name string name of the resource progress details file string output field progress details file query execution time number time value query string string output field query string record count number count value size on disk number output field size on disk save results boolean result of the operation completed boolean output field completed subsearch ids array unique identifier subsearch ids file name string unique identifier subsearch ids file string unique identifier output example {"status code" 200,"response headers" {"server" "qradar","expires" "0, 0","pragma" "no cache, no cache","cache control" "no cache, no store, must revalidate, no cache, no store, must revalidate","x xss protection" "1; mode=block","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains;, max age=31536000; includesubdomains","content type" "application/json;charset=utf 8","x frame options" "sameorigin","date" "wed, 22 feb 2023 16 03 38 gmt","content leng get rule retrieve a specific security rule from ibm qradar using the provided rule id endpoint url api/analytics/rules/{{id}} method get input argument name type required description path parameters id string required parameters for the get rule action parameters fields string optional parameters for the get rule action input example {"parameters" {"fields" "field one (field two, field three),field four"},"path parameters" {"id" "100639"}} output parameter type description status code number http status code of the response reason string response reason phrase owner string output field owner identifier string unique identifier base host id number unique identifier capacity timestamp number output field capacity timestamp origin string output field origin creation date number date value type string type of the resource enabled boolean output field enabled modification date number date value linked rule identifier object unique identifier name string name of the resource average capacity number output field average capacity id number unique identifier base capacity number output field base capacity output example {"owner" "string","identifier" "string","base host id" 123,"capacity timestamp" 123,"origin" "string","creation date" 123,"type" "string","enabled"\ true,"modification date" 123,"linked rule identifier" {},"name" "example name","average capacity" 123,"id" 123,"base capacity" 123} get source addresses retrieve a list of offense source addresses from ibm qradar to identify active system threats endpoint url api/siem/source addresses method get input argument name type required description parameters filter string optional parameters for the get source addresses action parameters fields string optional parameters for the get source addresses action headers object optional http headers for the request headers range string optional http headers for the request input example {"parameters" {"filter" "first event flow seen >= 1634663234343","fields" "field one (field two, field three),field four"},"headers" {"range" "items=0 49"}} output parameter type description status code number http status code of the response reason string response reason phrase output example \[] response headers header description example cache control directives for caching mechanisms no cache, no store, must revalidate, no cache, no store, must revalidate connection http response header connection keep alive content length the length of the response body in bytes 609 content range http response header content range content type the media type of the resource application/json date the date and time at which the message was originated wed, 22 feb 2023 16 03 38 gmt expires the date/time after which the response is considered stale 0, 0 location the url to redirect a page to pragma http response header pragma no cache, no cache server information about the software used by the origin server qradar set cookie http response header set cookie jsessionid=c0da0a55b56c0a3c3bd5c7c47f912a62; path=/; secure; httponly;secure;samesite=lax strict transport security http response header strict transport security max age=31536000; includesubdomains;, max age=31536000; includesubdomains transfer encoding http response header transfer encoding x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin x xss protection http response header x xss protection 1; mode=block