IBM QRadar

109 min

the ibm qradar connector enables seamless integration with swimlane turbine, allowing users to automate actions and leverage threat intelligence directly within their security workflows ibm qradar is a comprehensive security information and event management (siem) platform that provides security teams with visibility into their network and threat landscape this connector enables swimlane turbine users to automate interactions with qradar, such as managing reference data, retrieving offense details, and conducting searches by integrating with ibm qradar, swimlane turbine users can enhance their security automation, streamline incident response, and leverage qradar's advanced analytics to enrich their security operations prerequisites before integrating ibm qradar with swimlane turbine, ensure you have the following api key authentication with the necessary parameters url the endpoint url for the ibm qradar api api key a valid api key to authenticate requests to the ibm qradar api asset setup if you want to use a specific version of api, please use the api version parameter in the asset by default, the api uses the latest version capabilities the ibm qradar integration provides the following capabilities add/update data in reference map add/update data in reference table create reference map of sets create reference map create reference table get offense saved search get reference map of sets list assets list reference maps list reference tables list rules get local destination address get log source types create log source get log sources and so on configurations ibm qradar api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required sec api key string required api version api version string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add/update data in reference map adds or updates specified data in an ibm qradar reference map, using the provided map name endpoint url /api/reference data/maps/bulk load/{{name}} method post input argument name type required description name string required name of the resource fields string optional parameter for add/update data in reference map data array required response data output parameter type description status code number http status code of the response reason string response reason phrase creation time number time value element type string type of the resource name string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource example \[ { "status code" 201, "response headers" {}, "reason" "created", "json body" { "creation time" 42, "element type" "string \<one of aln, num, ip, port, alnic, date>", "name" "string", "number of elements" 42, "time to live" "string", "timeout type" "string \<one of unknown, first seen, last seen>" } } ] add/update data in reference table add or update data in a specified ibm qradar reference table, using 'name' to identify and 'data' for the new content endpoint url /api/reference data/tables/bulk load/{{name}} method post input argument name type required description name string required name of the resource fields string optional parameter for add/update data in reference table data array required response data output parameter type description status code number http status code of the response reason string response reason phrase creation time number time value element type string type of the resource name string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource example \[ { "status code" 201, "response headers" {}, "reason" "created", "json body" { "creation time" 42, "element type" "string \<one of aln, num, ip, port, alnic, date>", "name" "string", "number of elements" 42, "time to live" "string", "timeout type" "string \<one of unknown, first seen, last seen>" } } ] create reference map initiates the creation of a new reference map in ibm qradar using the provided 'name' parameter endpoint url /api/reference data/maps method post input argument name type required description name string required name of the resource key label string optional parameter for create reference map value label string optional value for the parameter element type string optional type of the resource timeout type string optional type of the resource time to live string optional parameter for create reference map fields string optional parameter for create reference map output parameter type description status code number http status code of the response reason string response reason phrase collection id number unique identifier creation time number time value element type string type of the resource key label string output field key label name string name of the resource namespace string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource value label string value for the parameter example \[ { "status code" 201, "response headers" {}, "reason" "created", "json body" { "collection id" 42, "creation time" 42, "element type" "string \<one of aln, num, ip, port, alnic, date>", "key label" "string", "name" "string", "namespace" "string \<one of private, shared, tenant>", "number of elements" 42, "time to live" "string", "timeout type" "string \<one of unknown, first seen, last seen>", "value label" "string" } } ] create reference map of sets creates a new reference map of sets in ibm qradar, requiring a user defined name and element type endpoint url api/reference data/map of sets method post input argument name type required description name string required the name of the reference map of sets to create element type string required the element type for the values allowed in the reference map of sets key label string optional the label to describe the keys value label string optional the label to describe the data values timeout type string optional this indicates if the time to live interval is based on when the data was first seen or last seen time to live string optional the time to live interval fields string optional use this parameter to specify which fields you would like to get back in the response output parameter type description status code number http status code of the response reason string response reason phrase creation time number time value element type string type of the resource key label string output field key label name string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource value label string value for the parameter example \[ { "status code" 201, "response headers" {}, "reason" "ok", "json body" { "creation time" 42, "element type" "aln", "key label" "string", "name" "string", "number of elements" 42, "time to live" "string", "timeout type" "first seen", "value label" "string" } } ] create reference table creates a new reference table in ibm qradar with a defined 'name' and 'element type' endpoint url /api/reference data/tables method post input argument name type required description name string required name of the resource outer key label string optional parameter for create reference table key name types string optional name of the resource element type string required type of the resource timeout type string optional type of the resource time to live string optional parameter for create reference table fields string optional parameter for create reference table output parameter type description status code number http status code of the response reason string response reason phrase collection id number unique identifier creation time number time value element type string type of the resource key label string output field key label key name types object name of the resource string string output field string name string name of the resource namespace string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource example \[ { "status code" 201, "response headers" {}, "reason" "created", "json body" { "collection id" 42, "creation time" 42, "element type" "string \<one of aln, num, ip, port, alnic, date>", "key label" "string", "key name types" {}, "name" "string", "namespace" "string \<one of private, shared, tenant>", "number of elements" 42, "time to live" "string", "timeout type" "string \<one of unknown, first seen, last seen>" } } ] get offense saved search retrieves a specific saved search for offenses in ibm qradar using the provided search id endpoint url api/siem/offense saved searches/{{id}} method get input argument name type required description id number required unique identifier headers object optional http headers for the request range string optional use this parameter to restrict the number of elements that are returned in the list to a specified range filter string optional this parameter is used to restrict the elements in a list base on the contents of various fields fields string optional use this parameter to specify which fields you would like to get back in the response output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier name string name of the resource owner string output field owner example \[ { "status code" 201, "response headers" {}, "reason" "ok", "json body" { "id" 42, "name" "string", "owner" "string" } } ] get reference map of sets retrieve a comprehensive list of all reference map sets available in ibm qradar endpoint url api/reference data/map of sets method get input argument name type required description headers object optional http headers for the request range string optional use this parameter to restrict the number of elements that are returned in the list to a specified range filter string optional this parameter is used to restrict the elements in a list base on the contents of various fields fields string optional use this parameter to specify which fields you would like to get back in the response output parameter type description status code number http status code of the response reason string response reason phrase creation time number time value element type string type of the resource key label string output field key label name string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource value label string value for the parameter example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "creation time" 42, "element type" "string \<one of aln, num, ip, port, alnic, date>", "key label" "string", "name" "string", "number of elements" 42, "time to live" "string", "timeout type" "string \<one of unknown, first seen, last seen>", "value label" "string" } } ] list assets retrieve a comprehensive overview of all network elements from the ibm qradar asset model endpoint url api/asset model/assets method get input argument name type required description filter string optional this parameter is used to restrict the elements in a list base on the contents of various fields fields string optional use this parameter to specify which fields you would like to get back in the response fields that are not named are excluded specify subfields in brackets and multiple fields in the same object are separated by commas sort string optional this parameter is used to sort the elements in a list headers object optional http headers for the request range string optional use this parameter to restrict the number of elements that are returned in the list to a specified range the list is indexed starting at zero output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ {} ] } ] list reference maps retrieve all available reference maps from ibm qradar to enhance context and decision making endpoint url /api/reference data/maps method get input argument name type required description filter string optional parameter for list reference maps fields string optional parameter for list reference maps headers object optional http headers for the request range string optional parameter for list reference maps output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ {} ] } ] list reference tables retrieve all available reference tables from ibm qradar to facilitate advanced query and analysis capabilities endpoint url /api/reference data/tables method get input argument name type required description filter string optional parameter for list reference tables fields string optional parameter for list reference tables headers object optional http headers for the request range string optional parameter for list reference tables output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ {} ] } ] list rules retrieve a comprehensive list of rules from ibm qradar for analysis or modification endpoint url /api/analytics/rules method get input argument name type required description filter string optional parameter for list rules fields string optional parameter for list rules headers object optional http headers for the request range string optional parameter for list rules output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" \[ {} ] } ] get local destination address retrieves a specific local destination address in ibm qradar using the provided address id associated with an offense endpoint url api/siem/local destination addresses/{{local destination address id}} method get input argument name type required description local destination address id string required unique identifier fields string optional parameter for get local destination address output parameter type description status code number http status code of the response reason string response reason phrase event flow count number count value source address ids array unique identifier first event flow seen number output field first event flow seen last event flow seen number output field last event flow seen magnitude number output field magnitude id number unique identifier offense ids array unique identifier local destination ip string output field local destination ip domain id number unique identifier network string output field network example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "event flow count" 123, "source address ids" \[], "first event flow seen" 123, "last event flow seen" 123, "magnitude" 123, "id" 123, "offense ids" \[], "local destination ip" "string", "domain id" 123, "network" "string" } } ] get log source types retrieve a comprehensive list of log source types from ibm qradar for improved data categorization and analysis endpoint url api/config/event sources/log source management/log source types method get input argument name type required description fields string optional parameter for get log source types filter string optional parameter for get log source types headers object optional http headers for the request range string optional parameter for get log source types output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" \[] } ] create log source creates a new log source in ibm qradar using specified configuration details provided in the json body input endpoint url api/config/event sources/log source management/log sources method post input argument name type required description parsing order number optional parameter for create log source internal boolean optional parameter for create log source gateway boolean optional parameter for create log source protocol parameters array optional parameters for the create log source action id number optional unique identifier value string optional value for the parameter name string optional name of the resource target event collector id number optional unique identifier log source extension id object optional unique identifier enabled boolean optional parameter for create log source coalesce events boolean optional parameter for create log source name string optional name of the resource wincollect external destination ids object optional unique identifier description string optional parameter for create log source sending ip object optional parameter for create log source language id number optional unique identifier credibility number optional parameter for create log source last event time number optional time value wincollect internal destination id object optional unique identifier average eps number optional parameter for create log source disconnected log collector id object optional unique identifier requires deploy boolean optional parameter for create log source auto discovered boolean optional parameter for create log source type id number optional unique identifier protocol type id number optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase sending ip object output field sending ip internal boolean output field internal protocol parameters array parameters for the create log source action name string name of the resource id number unique identifier value string value for the parameter description string output field description coalesce events boolean output field coalesce events enabled boolean output field enabled parsing order number output field parsing order average eps number output field average eps group ids array unique identifier credibility number output field credibility id number unique identifier store event payload boolean output field store event payload target event collector id number unique identifier protocol type id number unique identifier language id number unique identifier creation date number date value wincollect external destination ids object unique identifier log source extension id object unique identifier name string name of the resource modified date number date value example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "sending ip" {}, "internal" true, "protocol parameters" \[], "description" "string", "coalesce events" true, "enabled" true, "parsing order" 123, "average eps" 123, "group ids" \[], "credibility" 123, "id" 123, "store event payload" true, "target event collector id" 123, "protocol type id" 123, "language id" 123 } } ] get log sources obtain a detailed list of log sources from ibm qradar for enhanced analysis and monitoring capabilities endpoint url api/config/event sources/log source management/log sources method get input argument name type required description fields string optional parameter for get log sources filter string optional parameter for get log sources sort string optional parameter for get log sources headers object optional http headers for the request range string optional parameter for get log sources x qrd encryption algorithm string optional parameter for get log sources x qrd encryption password string optional parameter for get log sources output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" \[] } ] get offenses pulls a detailed list of offenses from ibm qradar for in depth analysis and monitoring endpoint url api/siem/offenses method get input argument name type required description headers object optional http headers for the request range string optional use this parameter to restrict the number of elements that are returned in the list to a specified range filter string optional this parameter is used to restrict the elements in a list base on the contents of various fields sort string optional this parameter is used to sort the elements in a list fields string optional use this parameter to specify which fields you would like to get back in the response output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" \[] } ] get offense by id retrieve detailed properties of a specific offense in ibm qradar using the provided offense id endpoint url api/siem/offenses/{{offense id}} method get input argument name type required description offense id number required unique identifier fields string optional parameter for get offense by id output parameter type description status code number http status code of the response reason string response reason phrase last persisted time number time value username count number name of the resource description string output field description rules array output field rules id number unique identifier type string type of the resource event count number count value flow count number count value assigned to object output field assigned to security category count number count value follow up boolean output field follow up source address ids array unique identifier source count number count value inactive boolean output field inactive protected boolean output field protected closing user string output field closing user destination networks array output field destination networks source network string output field source network category count number count value close time number time value remote destination count number count value start time number time value magnitude number output field magnitude example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "last persisted time" 123, "username count" 123, "description" "string", "rules" \[], "event count" 123, "flow count" 123, "assigned to" {}, "security category count" 123, "follow up" true, "source address ids" \[], "source count" 123, "inactive" true, "protected" true, "closing user" "string", "destination networks" \[] } } ] create offense note creates a custom note for a specified offense in ibm qradar using the unique offense id and provided note text endpoint url api/siem/offenses/{{offense id}}/notes method post input argument name type required description offense id number required unique identifier note text string required parameter for create offense note fields string optional parameter for create offense note output parameter type description status code number http status code of the response reason string response reason phrase note text string output field note text create time number time value id number unique identifier username string name of the resource example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "note text" "string", "create time" 123, "id" 123, "username" "example name" } } ] get offense notes retrieves all notes associated with a specific offense in ibm qradar, identified by 'offense id' endpoint url api/siem/offenses/{{offense id}}/notes method get input argument name type required description offense id number required unique identifier headers object optional http headers for the request range string optional parameter for get offense notes fields string optional parameter for get offense notes filter string optional parameter for get offense notes output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" \[] } ] update offense updates an existing offense in ibm qradar using the specified offense id endpoint url api/siem/offenses/{{offense id}} method post input argument name type required description offense id number required unique identifier assigned to string optional parameter for update offense closing reason id number optional unique identifier fields string optional parameter for update offense follow up boolean optional parameter for update offense protected boolean optional parameter for update offense status string optional status value output parameter type description status code number http status code of the response reason string response reason phrase last persisted time number time value username count number name of the resource description string output field description rules array output field rules id number unique identifier type string type of the resource event count number count value flow count number count value assigned to object output field assigned to security category count number count value follow up boolean output field follow up source address ids array unique identifier source count number count value inactive boolean output field inactive protected boolean output field protected closing user string output field closing user destination networks array output field destination networks source network string output field source network category count number count value close time number time value remote destination count number count value start time number time value magnitude number output field magnitude example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "last persisted time" 123, "username count" 123, "description" "string", "rules" \[], "event count" 123, "flow count" 123, "assigned to" {}, "security category count" 123, "follow up" true, "source address ids" \[], "source count" 123, "inactive" true, "protected" true, "closing user" "string", "destination networks" \[] } } ] create query initiates a new ariel search in ibm qradar using an aql query expression with specified input parameters endpoint url api/ariel/searches method post input argument name type required description query expression string optional parameter for create query saved search id number optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase cursor id string unique identifier status string status value compressed data file count number response data compressed data total size number response data data file count number response data data total size number response data index file count number count value index total size number output field index total size processed record count number count value desired retention time msec number output field desired retention time msec progress number output field progress progress details array output field progress details file name string name of the resource file string output field file query execution time number time value query string string output field query string record count number count value size on disk number output field size on disk save results boolean result of the operation completed boolean output field completed subsearch ids array unique identifier file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "cursor id" "string", "status" "active", "compressed data file count" 123, "compressed data total size" 123, "data file count" 123, "data total size" 123, "index file count" 123, "index total size" 123, "processed record count" 123, "desired retention time msec" 123, "progress" 123, "progress details" \[], "query execution time" 123, "query string" "string", "record count" 123 } } ] get query results retrieve the results of a specific ariel search in ibm qradar using the provided unique search id endpoint url api/ariel/searches/{{search id}}/results method get input argument name type required description search id string required unique identifier headers object optional http headers for the request range string optional parameter for get query results output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok" } ] get query status retrieve the current status of a specific ibm qradar query using the provided search id endpoint url api/ariel/searches/{{search id}} method get input argument name type required description search id string required unique identifier headers object optional http headers for the request prefer string optional parameter for get query status output parameter type description status code number http status code of the response reason string response reason phrase cursor id string unique identifier status string status value compressed data file count number response data compressed data total size number response data data file count number response data data total size number response data index file count number count value index total size number output field index total size processed record count number count value desired retention time msec number output field desired retention time msec progress number output field progress progress details array output field progress details file name string name of the resource file string output field file query execution time number time value query string string output field query string record count number count value size on disk number output field size on disk save results boolean result of the operation completed boolean output field completed subsearch ids array unique identifier file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "server" "qradar", "expires" "0, 0", "pragma" "no cache, no cache", "cache control" "no cache, no store, must revalidate, no cache, no store, must revalidate", "x xss protection" "1; mode=block", "x content type options" "nosniff", "strict transport security" "max age=31536000; includesubdomains;, max age=31536000; includesubdomains", "content type" "application/json;charset=utf 8", "x frame options" "sameorigin", "date" "wed, 22 feb 2023 16 03 38 gmt", "content length" "609", "connection" "keep alive", "set cookie" "jsessionid=c0da0a55b56c0a3c3bd5c7c47f912a62; path=/; secure; httponly;secure;sam " }, "reason" "ok", "json body" { "cursor id" "24e5a350 5e21 43c4 9b33 56534895c833", "status" "completed", "compressed data file count" 0, "compressed data total size" 0, "data file count" 2, "data total size" 312690, "index file count" 0, "index total size" 0, "processed record count" 9940, "desired retention time msec" 86400000, "progress" 100, "progress details" \[], "query execution time" 54, "query string" "select sourceip from events", "record count" 9940 } } ] get rule retrieves a specific security rule from ibm qradar using the provided rule id endpoint url api/analytics/rules/{{id}} method get input argument name type required description id string required unique identifier fields string optional parameter for get rule output parameter type description status code number http status code of the response reason string response reason phrase owner string output field owner identifier string unique identifier base host id number unique identifier capacity timestamp number output field capacity timestamp origin string output field origin creation date number date value type string type of the resource enabled boolean output field enabled modification date number date value linked rule identifier object unique identifier name string name of the resource average capacity number output field average capacity id number unique identifier base capacity number output field base capacity example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "owner" "string", "identifier" "string", "base host id" 123, "capacity timestamp" 123, "origin" "string", "creation date" 123, "type" "string", "enabled" true, "modification date" 123, "linked rule identifier" {}, "name" "example name", "average capacity" 123, "id" 123, "base capacity" 123 } } ] get source addresses retrieve a list of offense source addresses from ibm qradar, detailing active system threats endpoint url api/siem/source addresses method get input argument name type required description filter string optional parameter for get source addresses fields string optional parameter for get source addresses headers object optional http headers for the request range string optional parameter for get source addresses output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" \[] } ] response headers header description example cache control directives for caching mechanisms no cache, no store, must revalidate, no cache, no store, must revalidate connection http response header connection keep alive content length the length of the response body in bytes 609 content range http response header content range content type the media type of the resource application/json date the date and time at which the message was originated wed, 22 feb 2023 16 03 38 gmt expires the date/time after which the response is considered stale 0, 0 location the url to redirect a page to pragma http response header pragma no cache, no cache server information about the software used by the origin server qradar set cookie http response header set cookie jsessionid=c0da0a55b56c0a3c3bd5c7c47f912a62; path=/; secure; httponly;secure;samesite=lax strict transport security http response header strict transport security max age=31536000; includesubdomains;, max age=31536000; includesubdomains transfer encoding http response header transfer encoding x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin x xss protection http response header x xss protection 1; mode=block notes for more information on ariel query language (aql), see ibm aql https //www ibm com/support/knowledgecenter/ss42vs 7 3 1/com ibm qradar doc/b qradar aql pdf api documentation https //ibmsecuritydocs github io/qradar api 14 0/