IBM QRadar

the ibm qradar connector enables seamless integration with swimlane turbine, allowing users to automate actions and leverage threat intelligence directly within their security workflows ibm qradar is a comprehensive security information and event management (siem) platform that provides security teams with visibility into their network and threat landscape this connector enables swimlane turbine users to automate interactions with qradar, such as managing reference data, retrieving offense details, and conducting searches by integrating with ibm qradar, swimlane turbine users can enhance their security automation, streamline incident response, and leverage qradar's advanced analytics to enrich their security operations prerequisites before integrating ibm qradar with swimlane turbine, ensure you have the following api key authentication with the necessary parameters url the endpoint url for the ibm qradar api api key a valid api key to authenticate requests to the ibm qradar api asset setup if you want to use a specific version of api, please use the api version parameter in the asset by default, the api uses the latest version capabilities the ibm qradar integration provides the following capabilities add/update data in reference map add/update data in reference table create reference map of sets create reference map create reference table get offense saved search get reference map of sets list assets list reference maps list reference tables list rules get local destination address get log source types create log source get log sources and so on notes for more information on ariel query language (aql), see https //www ibm com/support/knowledgecenter/ss42vs 7 3 1/com ibm qradar doc/b qradar aql pdf https //ibmsecuritydocs github io/qradar api 14 0/ configurations ibm qradar api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required sec api key string required api version api version string optional verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add/update data in reference map adds or updates specified data in an ibm qradar reference map, using the provided map name endpoint url /api/reference data/maps/bulk load/{{name}} method post input argument name type required description path parameters name string required parameters for the add/update data in reference map action parameters fields string optional parameters for the add/update data in reference map action data array optional response data input example {"path parameters" {"name" "example name"},"parameters" {"fields" "string"},"data" \[]} output parameter type description status code number http status code of the response reason string response reason phrase creation time number time value element type string type of the resource name string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource output example {"status code" 201,"response headers" {},"reason" "created","json body" {"creation time" 42,"element type" "string \<one of aln, num, ip, port, alnic, date>","name" "string","number of elements" 42,"time to live" "string","timeout type" "string \<one of unknown, first seen, last seen>"}} add/update data in reference table add or update data in a specified ibm qradar reference table, using 'name' to identify and 'data' for the new content endpoint url /api/reference data/tables/bulk load/{{name}} method post input argument name type required description path parameters name string required parameters for the add/update data in reference table action parameters fields string optional parameters for the add/update data in reference table action data array optional response data input example {"path parameters" {"name" "example name"},"parameters" {"fields" "string"},"data" \[]} output parameter type description status code number http status code of the response reason string response reason phrase creation time number time value element type string type of the resource name string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource output example {"status code" 201,"response headers" {},"reason" "created","json body" {"creation time" 42,"element type" "string \<one of aln, num, ip, port, alnic, date>","name" "string","number of elements" 42,"time to live" "string","timeout type" "string \<one of unknown, first seen, last seen>"}} create reference map initiates the creation of a new reference map in ibm qradar using the provided 'name' parameter endpoint url /api/reference data/maps method post input argument name type required description parameters name string required parameters for the create reference map action parameters key label string optional parameters for the create reference map action parameters value label string optional parameters for the create reference map action parameters element type string optional parameters for the create reference map action parameters timeout type string optional parameters for the create reference map action parameters time to live string optional parameters for the create reference map action parameters fields string optional parameters for the create reference map action input example {"parameters" {"name" "example name","key label" "string","value label" "string","element type" "string","timeout type" "string","time to live" "string","fields" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase collection id number unique identifier creation time number time value element type string type of the resource key label string output field key label name string name of the resource namespace string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource value label string value for the parameter output example {"status code" 201,"response headers" {},"reason" "created","json body" {"collection id" 42,"creation time" 42,"element type" "string \<one of aln, num, ip, port, alnic, date>","key label" "string","name" "string","namespace" "string \<one of private, shared, tenant>","number of elements" 42,"time to live" "string","timeout type" "string \<one of unknown, first seen, last seen>","value label" "string"}} create reference map of sets creates a new reference map of sets in ibm qradar, requiring a user defined name and element type endpoint url api/reference data/map of sets method post input argument name type required description parameters name string required the name of the reference map of sets to create parameters element type string required the element type for the values allowed in the reference map of sets parameters key label string optional the label to describe the keys parameters value label string optional the label to describe the data values parameters timeout type string optional this indicates if the time to live interval is based on when the data was first seen or last seen parameters time to live string optional the time to live interval parameters fields string optional use this parameter to specify which fields you would like to get back in the response input example {"parameters" {"name" "example name","element type" "string","key label" "string","value label" "string","timeout type" "string","time to live" "string","fields" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase creation time number time value element type string type of the resource key label string output field key label name string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource value label string value for the parameter output example {"status code" 201,"response headers" {},"reason" "ok","json body" {"creation time" 42,"element type" "aln","key label" "string","name" "string","number of elements" 42,"time to live" "string","timeout type" "first seen","value label" "string"}} create reference table creates a new reference table in ibm qradar with a defined 'name' and 'element type' endpoint url /api/reference data/tables method post input argument name type required description parameters name string required parameters for the create reference table action parameters outer key label string optional parameters for the create reference table action parameters key name types string optional parameters for the create reference table action parameters element type string required parameters for the create reference table action parameters timeout type string optional parameters for the create reference table action parameters time to live string optional parameters for the create reference table action parameters fields string optional parameters for the create reference table action input example {"parameters" {"name" "example name","outer key label" "string","key name types" "example name","element type" "string","timeout type" "string","time to live" "string","fields" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase collection id number unique identifier creation time number time value element type string type of the resource key label string output field key label key name types object name of the resource key name types string string name of the resource name string name of the resource namespace string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource output example {"status code" 201,"response headers" {},"reason" "created","json body" {"collection id" 42,"creation time" 42,"element type" "string \<one of aln, num, ip, port, alnic, date>","key label" "string","key name types" {"string" "string \<one of aln, num, ip, port, alnic, date>"},"name" "string","namespace" "string \<one of private, shared, tenant>","number of elements" 42,"time to live" "string","timeout type" "string \<one of unknown, first seen, last seen>"}} get offense saved search retrieves a specific saved search for offenses in ibm qradar using the provided search id endpoint url api/siem/offense saved searches/{{id}} method get input argument name type required description path parameters id number required parameters for the get offense saved search action headers object optional http headers for the request headers range string optional use this parameter to restrict the number of elements that are returned in the list to a specified range parameters filter string optional this parameter is used to restrict the elements in a list base on the contents of various fields parameters fields string optional use this parameter to specify which fields you would like to get back in the response input example {"path parameters" {"id" 1}} output parameter type description status code number http status code of the response reason string response reason phrase id number unique identifier name string name of the resource owner string output field owner output example {"status code" 201,"response headers" {},"reason" "ok","json body" {"id" 42,"name" "string","owner" "string"}} get reference map of sets retrieve a comprehensive list of all reference map sets available in ibm qradar endpoint url api/reference data/map of sets method get input argument name type required description headers object optional http headers for the request headers range string optional use this parameter to restrict the number of elements that are returned in the list to a specified range parameters filter string optional this parameter is used to restrict the elements in a list base on the contents of various fields parameters fields string optional use this parameter to specify which fields you would like to get back in the response input example {"headers" {"range" "string"},"parameters" {"filter" "string","fields" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase creation time number time value element type string type of the resource key label string output field key label name string name of the resource number of elements number output field number of elements time to live string output field time to live timeout type string type of the resource value label string value for the parameter output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"creation time" 42,"element type" "string \<one of aln, num, ip, port, alnic, date>","key label" "string","name" "string","number of elements" 42,"time to live" "string","timeout type" "string \<one of unknown, first seen, last seen>","value label" "string"}} list assets retrieve a comprehensive overview of all network elements from the ibm qradar asset model endpoint url api/asset model/assets method get input argument name type required description parameters filter string optional this parameter is used to restrict the elements in a list base on the contents of various fields parameters fields string optional use this parameter to specify which fields you would like to get back in the response fields that are not named are excluded specify subfields in brackets and multiple fields in the same object are separated by commas parameters sort string optional this parameter is used to sort the elements in a list headers object optional http headers for the request headers range string optional use this parameter to restrict the number of elements that are returned in the list to a specified range the list is indexed starting at zero input example {"parameters" {"filter" "string","fields" "string","sort" "string"},"headers" {"range" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"vulnerability count" 42,"interfaces" \[],"risk score sum" 42 5,"hostnames" \[],"id" 42,"domain id" 42,"properties" \[],"users" \[],"products" \[]}]} list reference maps retrieve all available reference maps from ibm qradar to enhance context and decision making endpoint url /api/reference data/maps method get input argument name type required description parameters filter string optional parameters for the list reference maps action parameters fields string optional parameters for the list reference maps action headers object optional http headers for the request headers range string optional http headers for the request input example {"parameters" {"filter" "string","fields" "string"},"headers" {"range" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"collection id" 42,"creation time" 42,"element type" "string \<one of aln, num, ip, port, alnic, date>","key label" "string","name" "string","namespace" "string \<one of private, shared, tenant>","number of elements" 42,"time to live" "string","timeout type" "string \<one of unknown, first seen, last seen>","value label" "string"}]} list reference tables retrieve all available reference tables from ibm qradar to facilitate advanced query and analysis capabilities endpoint url /api/reference data/tables method get input argument name type required description parameters filter string optional parameters for the list reference tables action parameters fields string optional parameters for the list reference tables action headers object optional http headers for the request headers range string optional http headers for the request input example {"parameters" {"filter" "string","fields" "string"},"headers" {"range" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"collection id" 42,"creation time" 42,"element type" "string \<one of aln, num, ip, port, alnic, date>","key label" "string","key name types" {},"name" "string","namespace" "string \<one of private, shared, tenant>","number of elements" 42,"time to live" "string","timeout type" "string \<one of unknown, first seen, last seen>"}]} list rules retrieve a comprehensive list of rules from ibm qradar for analysis or modification endpoint url /api/analytics/rules method get input argument name type required description parameters filter string optional parameters for the list rules action parameters fields string optional parameters for the list rules action headers object optional http headers for the request headers range string optional http headers for the request input example {"parameters" {"filter" "string","fields" "string"},"headers" {"range" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {},"reason" "ok","json body" \[{"average capacity" 42,"base capacity" 42,"base host id" 42,"capacity timestamp" 42,"creation date" 42,"enabled"\ true,"id" 42,"identifier" "string","linked rule identifier" "string","modification date" 42,"name" "string","origin" "string \<one of system, override, user>","owner" "string","type" "string \<one of event, flow, common, offense>"}]} get local destination address retrieves a specific local destination address in ibm qradar using the provided address id associated with an offense endpoint url api/siem/local destination addresses/{{local destination address id}} method get input argument name type required description path parameters local destination address id string required parameters for the get local destination address action parameters fields string optional parameters for the get local destination address action input example {"parameters" {"fields" "field one (field two, field three),field four"},"path parameters" {"local destination address id" "2"}} output parameter type description status code number http status code of the response reason string response reason phrase event flow count number count value source address ids array unique identifier first event flow seen number output field first event flow seen last event flow seen number output field last event flow seen magnitude number output field magnitude id number unique identifier offense ids array unique identifier local destination ip string output field local destination ip domain id number unique identifier network string output field network output example {"event flow count" 123,"source address ids" \[123],"first event flow seen" 123,"last event flow seen" 123,"magnitude" 123,"id" 123,"offense ids" \[123],"local destination ip" "string","domain id" 123,"network" "string"} get log source types retrieve a comprehensive list of log source types from ibm qradar for improved data categorization and analysis endpoint url api/config/event sources/log source management/log source types method get input argument name type required description parameters fields string optional parameters for the get log source types action parameters filter string optional parameters for the get log source types action headers object optional http headers for the request headers range string optional http headers for the request input example {"parameters" {"fields" "field one (field two, field three),field four","filter" "log source extension id = '0'"},"headers" {"range" "items=0 49"}} output parameter type description status code number http status code of the response reason string response reason phrase output example \[] create log source creates a new log source in ibm qradar using specified configuration details provided in the json body input endpoint url api/config/event sources/log source management/log sources method post input argument name type required description parsing order number optional parameter for create log source internal boolean optional parameter for create log source gateway boolean optional parameter for create log source protocol parameters array optional parameters for the create log source action protocol parameters id number optional parameters for the create log source action protocol parameters value string optional parameters for the create log source action protocol parameters name string optional parameters for the create log source action target event collector id number optional unique identifier log source extension id object optional unique identifier enabled boolean optional parameter for create log source coalesce events boolean optional parameter for create log source name string optional name of the resource wincollect external destination ids object optional unique identifier description string optional parameter for create log source sending ip object optional parameter for create log source language id number optional unique identifier credibility number optional parameter for create log source last event time number optional time value wincollect internal destination id object optional unique identifier average eps number optional parameter for create log source disconnected log collector id object optional unique identifier requires deploy boolean optional parameter for create log source auto discovered boolean optional parameter for create log source type id number optional unique identifier protocol type id number optional unique identifier input example {"json body" {"parsing order" 0,"internal"\ false,"gateway"\ false,"protocol parameters" \[{"id" 0,"value" "facf\ c4b8 9937 5f98\ e78a\ e48f\ e34a\ b143","name" "identifier"}],"target event collector id" 7,"log source extension id"\ null,"enabled"\ true,"coalesce events"\ true,"name" "swinlane test facf\ c4b8 9937 5f98\ e78a\ e48f\ e34a\ b","wincollect external destination ids"\ null,"description" "swinlane test","sending ip"\ null,"language id" 1,"credibility" 8,"last event time" 0,"wincollect internal destination id"\ null,"average eps" 0,"disconnected log collector id"\ null,"requires deploy"\ true,"auto discovered"\ false,"type id" 115,"protocol type id" 0,"store event payload"\ true,"group ids" \[0]}} output parameter type description status code number http status code of the response reason string response reason phrase sending ip object output field sending ip internal boolean output field internal protocol parameters array parameters for the create log source action protocol parameters name string parameters for the create log source action protocol parameters id number parameters for the create log source action protocol parameters value string parameters for the create log source action description string output field description coalesce events boolean output field coalesce events enabled boolean output field enabled parsing order number output field parsing order average eps number output field average eps group ids array unique identifier credibility number output field credibility id number unique identifier store event payload boolean output field store event payload target event collector id number unique identifier protocol type id number unique identifier language id number unique identifier creation date number date value wincollect external destination ids object unique identifier log source extension id object unique identifier name string name of the resource modified date number date value output example {"sending ip" {},"internal"\ true,"protocol parameters" \[{"name" "example name","id" 123,"value" "string"}],"description" "string","coalesce events"\ true,"enabled"\ true,"parsing order" 123,"average eps" 123,"group ids" \[123],"credibility" 123,"id" 123,"store event payload"\ true,"target event collector id" 123,"protocol type id" 123,"language id" 123} get log sources obtain a detailed list of log sources from ibm qradar for enhanced analysis and monitoring capabilities endpoint url api/config/event sources/log source management/log sources method get input argument name type required description parameters fields string optional parameters for the get log sources action parameters filter string optional parameters for the get log sources action parameters sort string optional parameters for the get log sources action headers object optional http headers for the request headers range string optional http headers for the request headers x qrd encryption algorithm string optional http headers for the request headers x qrd encryption password string optional http headers for the request input example {"parameters" {"fields" "field one (field two, field three),field four","filter" "field one = 'string' and field two > 42 or not field three in (1, 2, 3)","sort" "+field one, object(sub field)"},"headers" {"range" "items=0 49","x qrd encryption algorithm" "aes256","x qrd encryption password" "testpassword"}} output parameter type description status code number http status code of the response reason string response reason phrase output example \[] get offenses pulls a detailed list of offenses from ibm qradar for in depth analysis and monitoring endpoint url api/siem/offenses method get input argument name type required description headers object optional http headers for the request headers range string optional use this parameter to restrict the number of elements that are returned in the list to a specified range parameters filter string optional this parameter is used to restrict the elements in a list base on the contents of various fields parameters sort string optional this parameter is used to sort the elements in a list parameters fields string optional use this parameter to specify which fields you would like to get back in the response input example {"parameters" {"filter" "last persisted time >= 1668526028000","sort" "+field one, object(sub field)","fields" "field one (field two, field three),field four"},"headers" {"range" "items=0 49"}} output parameter type description status code number http status code of the response reason string response reason phrase output example \[] get offense by id retrieve detailed properties of a specific offense in ibm qradar using the provided offense id endpoint url api/siem/offenses/{{offense id}} method get input argument name type required description path parameters offense id number required parameters for the get offense by id action parameters fields string optional parameters for the get offense by id action input example {"parameters" {"fields" "field one (field two, field three),field four"},"path parameters" {"offense id" 7544}} output parameter type description status code number http status code of the response reason string response reason phrase last persisted time number time value username count number name of the resource description string output field description rules array output field rules rules id number unique identifier rules type string type of the resource event count number count value flow count number count value assigned to object output field assigned to security category count number count value follow up boolean output field follow up source address ids array unique identifier source count number count value inactive boolean output field inactive protected boolean output field protected closing user string output field closing user destination networks array output field destination networks source network string output field source network category count number count value close time number time value remote destination count number count value start time number time value magnitude number output field magnitude output example {"last persisted time" 123,"username count" 123,"description" "string","rules" \[{"id" 123,"type" "string"}],"event count" 123,"flow count" 123,"assigned to" {},"security category count" 123,"follow up"\ true,"source address ids" \[123],"source count" 123,"inactive"\ true,"protected"\ true,"closing user" "string","destination networks" \["string"]} create offense note creates a custom note for a specified offense in ibm qradar using the unique offense id and provided note text endpoint url api/siem/offenses/{{offense id}}/notes method post input argument name type required description path parameters offense id number required parameters for the create offense note action parameters note text string required parameters for the create offense note action parameters fields string optional parameters for the create offense note action input example {"parameters" {"note text" "test note","fields" "field one (field two, field three),field four"},"path parameters" {"offense id" 7544}} output parameter type description status code number http status code of the response reason string response reason phrase note text string output field note text create time number time value id number unique identifier username string name of the resource output example {"note text" "string","create time" 123,"id" 123,"username" "example name"} get offense notes retrieves all notes associated with a specific offense in ibm qradar, identified by 'offense id' endpoint url api/siem/offenses/{{offense id}}/notes method get input argument name type required description path parameters offense id number required parameters for the get offense notes action headers object optional http headers for the request headers range string optional http headers for the request parameters fields string optional parameters for the get offense notes action parameters filter string optional parameters for the get offense notes action input example {"parameters" {"fields" "field one (field two, field three),field four","filter" "field one = 'string' and field two > 42 or not field three in (1, 2, 3)"},"path parameters" {"offense id" 7544},"headers" {"range" "items=0 49"}} output parameter type description status code number http status code of the response reason string response reason phrase output example \[] update offense updates an existing offense in ibm qradar using the specified offense id endpoint url api/siem/offenses/{{offense id}} method post input argument name type required description path parameters offense id number required parameters for the update offense action parameters assigned to string optional parameters for the update offense action parameters closing reason id number optional parameters for the update offense action parameters fields string optional parameters for the update offense action parameters follow up boolean optional parameters for the update offense action parameters protected boolean optional parameters for the update offense action parameters status string optional parameters for the update offense action input example {"parameters" {"assigned to" "username","closing reason id" 42,"fields" "field one (field two, field three),field four","follow up"\ true,"protected"\ true,"status" "open"},"path parameters" {"offense id" 7544}} output parameter type description status code number http status code of the response reason string response reason phrase last persisted time number time value username count number name of the resource description string output field description rules array output field rules rules id number unique identifier rules type string type of the resource event count number count value flow count number count value assigned to object output field assigned to security category count number count value follow up boolean output field follow up source address ids array unique identifier source count number count value inactive boolean output field inactive protected boolean output field protected closing user string output field closing user destination networks array output field destination networks source network string output field source network category count number count value close time number time value remote destination count number count value start time number time value magnitude number output field magnitude output example {"last persisted time" 123,"username count" 123,"description" "string","rules" \[{"id" 123,"type" "string"}],"event count" 123,"flow count" 123,"assigned to" {},"security category count" 123,"follow up"\ true,"source address ids" \[123],"source count" 123,"inactive"\ true,"protected"\ true,"closing user" "string","destination networks" \["string"]} create query initiates a new ariel search in ibm qradar using an aql query expression with specified input parameters endpoint url api/ariel/searches method post input argument name type required description parameters query expression string optional parameters for the create query action parameters saved search id number optional parameters for the create query action input example {"parameters" {"query expression" "select sourceip from events","saved search id" 42}} output parameter type description status code number http status code of the response reason string response reason phrase cursor id string unique identifier status string status value compressed data file count number response data compressed data total size number response data data file count number response data data total size number response data index file count number count value index total size number output field index total size processed record count number count value desired retention time msec number output field desired retention time msec progress number output field progress progress details array output field progress details progress details file name string name of the resource progress details file string output field progress details file query execution time number time value query string string output field query string record count number count value size on disk number output field size on disk save results boolean result of the operation completed boolean output field completed subsearch ids array unique identifier subsearch ids file name string unique identifier subsearch ids file string unique identifier output example {"cursor id" "string","status" "active","compressed data file count" 123,"compressed data total size" 123,"data file count" 123,"data total size" 123,"index file count" 123,"index total size" 123,"processed record count" 123,"desired retention time msec" 123,"progress" 123,"progress details" \[{"file name" "example name","file" "string"}],"query execution time" 123,"query string" "string","record count" 123} get query results retrieve the results of a specific ariel search in ibm qradar using the provided unique search id endpoint url api/ariel/searches/{{search id}}/results method get input argument name type required description path parameters search id string required parameters for the get query results action headers object optional http headers for the request headers range string optional http headers for the request input example {"path parameters" {"search id" "f048831a 434a 448f 81c9 d0815e40fcca"},"headers" {"range" "items=0 49"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {} get query status retrieve the current status of a specific ibm qradar query using the provided search id endpoint url api/ariel/searches/{{search id}} method get input argument name type required description path parameters search id string required parameters for the get query status action headers object optional http headers for the request headers prefer string optional http headers for the request input example {"path parameters" {"search id" "24e5a350 5e21 43c4 9b33 56534895c833"},"headers" {"prefer" "wait=1"}} output parameter type description status code number http status code of the response reason string response reason phrase cursor id string unique identifier status string status value compressed data file count number response data compressed data total size number response data data file count number response data data total size number response data index file count number count value index total size number output field index total size processed record count number count value desired retention time msec number output field desired retention time msec progress number output field progress progress details array output field progress details progress details file name string name of the resource progress details file string output field progress details file query execution time number time value query string string output field query string record count number count value size on disk number output field size on disk save results boolean result of the operation completed boolean output field completed subsearch ids array unique identifier subsearch ids file name string unique identifier subsearch ids file string unique identifier output example {"status code" 200,"response headers" {"server" "qradar","expires" "0, 0","pragma" "no cache, no cache","cache control" "no cache, no store, must revalidate, no cache, no store, must revalidate","x xss protection" "1; mode=block","x content type options" "nosniff","strict transport security" "max age=31536000; includesubdomains;, max age=31536000; includesubdomains","content type" "application/json;charset=utf 8","x frame options" "sameorigin","date" "wed, 22 feb 2023 16 03 38 gmt","content leng get rule retrieves a specific security rule from ibm qradar using the provided rule id endpoint url api/analytics/rules/{{id}} method get input argument name type required description path parameters id string required parameters for the get rule action parameters fields string optional parameters for the get rule action input example {"parameters" {"fields" "field one (field two, field three),field four"},"path parameters" {"id" "100639"}} output parameter type description status code number http status code of the response reason string response reason phrase owner string output field owner identifier string unique identifier base host id number unique identifier capacity timestamp number output field capacity timestamp origin string output field origin creation date number date value type string type of the resource enabled boolean output field enabled modification date number date value linked rule identifier object unique identifier name string name of the resource average capacity number output field average capacity id number unique identifier base capacity number output field base capacity output example {"owner" "string","identifier" "string","base host id" 123,"capacity timestamp" 123,"origin" "string","creation date" 123,"type" "string","enabled"\ true,"modification date" 123,"linked rule identifier" {},"name" "example name","average capacity" 123,"id" 123,"base capacity" 123} get source addresses retrieve a list of offense source addresses from ibm qradar, detailing active system threats endpoint url api/siem/source addresses method get input argument name type required description parameters filter string optional parameters for the get source addresses action parameters fields string optional parameters for the get source addresses action headers object optional http headers for the request headers range string optional http headers for the request input example {"parameters" {"filter" "first event flow seen >= 1634663234343","fields" "field one (field two, field three),field four"},"headers" {"range" "items=0 49"}} output parameter type description status code number http status code of the response reason string response reason phrase output example \[] response headers header description example cache control directives for caching mechanisms no cache, no store, must revalidate, no cache, no store, must revalidate connection http response header connection keep alive content length the length of the response body in bytes 609 content range http response header content range content type the media type of the resource application/json;charset=utf 8 date the date and time at which the message was originated wed, 22 feb 2023 16 03 38 gmt expires the date/time after which the response is considered stale 0, 0 location the url to redirect a page to pragma http response header pragma no cache, no cache server information about the software used by the origin server qradar set cookie http response header set cookie jsessionid=c0da0a55b56c0a3c3bd5c7c47f912a62; path=/; secure; httponly;secure;samesite=lax strict transport security http response header strict transport security max age=31536000; includesubdomains;, max age=31536000; includesubdomains transfer encoding http response header transfer encoding x content type options http response header x content type options nosniff x frame options http response header x frame options sameorigin x xss protection http response header x xss protection 1; mode=block