IBM QRadar v2

Fetch offenses as incidents and search QRadar This integration was integrated and tested with version 7.3.2 of QRadar

Configure QRadar_v2 on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for QRadar_v2.
  3. Click Add instance to create and configure a new integration instance.
ParameterDescriptionRequired
serverServer URL (e.g. https://8.8.8.8)True
credentialsUsername / API Key (see '?')False
queryQuery to fetch offensesFalse
offenses_per_fetchNumber of offenses to pull per API call (max 50)False
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
Long running instanceFetches incidentsFalse
incidentTypeIncident typeFalse
full_enrichFull Incident EnrichmentFalse
longRunningLong running instanceFalse
events_columnsEvent columns to return from the events queryFalse
fetch_modeFetch modeTrue
events_limitMax number of events per incidentFalse
adv_paramsAdvanced ParametersFalse
  1. Click Test to validate the URLs, token, and connection.

Troubleshooting Performance Issues

In some cases, you might encounter performance issues when running QRadar AQL queries from Demisto. This issue is caused by QRadar API limitations. We recommend that you test the QRadar API performance by running several cURL scripts.

1. Creating a search

Run the following command to use the QRadar API to create a new search.Save the QUERY ID that is attached to the response for the next step.

curl -H "SEC: <API KEY>" -X POST <QRADAR INSTANCE>/api/ariel/searches?query_expression=<QUERY IN URL SAFE ENCODING>

2. Check if the search status is Complete or Executing

Use the following command to use the QRadar API to check the query status (EXECUTE, COMPLETED, or ERROR).

curl -H "SEC: <API KEY>" -X GET <QRADAR INSTANCE>/api/ariel/searches?<QUERY ID>

Using API Token authentication

In order to use the integration with an API token you'll first need to change the Username / API Key (see '?') field to _api_token_key. Following this step, you can now enter the API Token into the Password field - this value will be used as an API key.

Fetch incidents

To start fetching incidents, enable the parameter Long running instance - this will start a long running process that'll fetch incidents periodically. Depending on the system load, the initial fetch might take a long time.

Field (Schema) Mapping

The scheme is divided to 4 sections. Offense (root), Events: Builtins, Events: Custom Fields, and Assets. For more details, see the Classification & Mapping documentation.

Query to fetch offenses

You can apply additional (optional) filters for the fetch-incident query using the Query to fetch offenses integration parameter. For more information on how to use the filter syntax, see the QRadar filter documentation and QRadar offense documentation.

  • Incident IP Enrichment - When enabled, fetched incidents IP values (local source addresses and local destination addresses) will be fetched from QRadar instead of their ID values.
  • Incident Asset Enrichment - When enabled, fetched offenses will also contain correlated assets.

Reset the "last run" timestamp

To reset fetch incidents, run qradar-reset-last-run - this will reset the fetch to its initial state (will try to fetch first available offense).

Required Permissions

  • Assets - Vulnerability Management or Assets
  • Domains - Admin
  • Offenses (Manage Closing Reason) - Manage Offense Closing Reasons
  • Offenses (Assign Offenses to Users) - Assign Offenses to Users
  • Offenses (Read) - Offenses
  • References (Create/Update) - admin
  • References (Read) - View Reference Data

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

qradar-offenses


Gets offenses from QRadar

Base Command

qradar-offenses

Input

Argument NameDescriptionRequired
filterQuery to filter offenses. For reference please consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.htmlOptional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-GET.htmlOptional
rangeRange of results to return. e.g.: 0-20Optional
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional

Context Output

PathTypeDescription
QRadar.Offense.FollowupbooleanOffense followup.
QRadar.Offense.IDnumberThe ID of the offense.
QRadar.Offense.DescriptionstringThe description of the offense.
QRadar.Offense.SourceAddressUnknownThe source addresses that are associated with the offense.
QRadar.Offense.DestinationAddressUnknownThe local destination addresses that are associated with the offense. If your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip
QRadar.Offense.RemoteDestinationCountUnknownThe remote destination that are associated with the offesne. If this value is greater than 0 that means your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip
QRadar.Offense.StartTimedateThe time (ISO) when the offense was started.
QRadar.Offense.EventCountnumberThe number of events that are associated with the offense.
QRadar.Offense.MagnitudenumberThe magnitude of the offense.
QRadar.Offense.LastUpdatedTimedateThe time (ISO) when the offense was last updated.
QRadar.Offense.OffenseTypestringThe offense type (due to API limitations if username and password were not provided, this value will be the id of offense type)

Command Example

!qradar-offenses range=0-1 filter="follow_up=false"

Context Example

{
"QRadar": {
"Offense": [
{
"Description": "Outbound port scan\n",
"DestinationAddress": [
"8.8.8.8,
],
"EventCount": 22,
"Followup": false,
"ID": 477,
"LastUpdatedTime": "2020-08-04T08:37:49.416000Z",
"Magnitude": 2,
"OffenseType": "Source IP",
"RemoteDestinationCount": 4,
"SourceAddress": [
"8.8.8.8
],
"StartTime": "2020-08-04T08:34:21.690000Z"
},
{
"Description": "Multiple Login Failures for the Same User\n preceded by DJM\n preceded by Port Scan detected\n containing Failure Audit: An account failed to log on\n",
"DestinationAddress": [
"8.8.8.8
],
"EventCount": 15,
"Followup": false,
"ID": 476,
"LastUpdatedTime": "2020-08-04T08:37:57.209000Z",
"Magnitude": 1,
"OffenseType": "Username",
"RemoteDestinationCount": 0,
"SourceAddress": [
"8.8.8.8
],
"StartTime": "2020-08-04T08:36:57.209000Z"
}
]
}
}

Human Readable Output

QRadar offenses

IDDescriptionFollowupSourceAddressDestinationAddressRemoteDestinationCountStartTimeEventCountMagnitudeLastUpdatedTimeOffenseType
477Outbound port scan
false8.8.8.88.8.8.8
8.8.8.8
8.8.8.8
42020-08-04T08:34:21.690000Z2222020-08-04T08:37:49.416000ZSource IP
476Multiple Login Failures for the Same User
preceded by DJM
preceded by Port Scan detected
containing Failure Audit: An account failed to log on
false::1,
8.8.8.8
8.8.8.802020-08-04T08:36:57.209000Z1512020-08-04T08:37:57.209000ZUsername

qradar-offense-by-id


Gets offense with matching offense ID from qradar

Base Command

qradar-offense-by-id

Input

Argument NameDescriptionRequired
offense_idOffense IDRequired
filterQuery to filter offense. For refernce please consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.htmlOptional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-GET.htmlOptional
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional

Context Output

PathTypeDescription
QRadar.Offense.CredibilitynumberThe credibility of the offense
QRadar.Offense.RelevancenumberThe relevance of the offense
QRadar.Offense.SeveritynumberThe severity of the offense
QRadar.Offense.SourceAddressUnknownThe source addresses that are associated with the offense.
QRadar.Offense.DestinationAddressUnknownThe local destination addresses that are associated with the offense. If your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip
QRadar.Offense.RemoteDestinationCountUnknownThe remote destination that are associated with the offesne. If this value is greater than 0 that means your offense has a remote destination, you will need to use QRadarFullSearch playbook with the following query - SELECT destinationip FROM events WHERE inOffense(<offenseID>) GROUP BY destinationip
QRadar.Offense.AssignedTostringThe user the offense is assigned to.
QRadar.Offense.StartTimedateThe time (ISO) when the offense was started.
QRadar.Offense.IDintThe ID of the offense.
QRadar.Offense.DestinationHostnameUnknownDestintion hostname
QRadar.Offense.DescriptionstringThe description of the offense.
QRadar.Offense.EventCountnumberThe number of events that are associated with the offense.
QRadar.Offense.OffenseSourcestringThe source of the offense.
QRadar.Offense.StatusstringThe status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
QRadar.Offense.MagnitudenumberThe magnitude of the offense.
QRadar.Offense.ClosingUserstringThe user that closed the offense
QRadar.Offense.ClosingReasonstringThe offense closing reason.
QRadar.Offense.CloseTimedateThe time when the offense was closed.
QRadar.Offense.LastUpdatedTimedateThe time (ISO) when the offense was last updated.
QRadar.Offense.CategoriesUnknownEvent categories that are associated with the offense.
QRadar.Offense.FlowCountnumberThe number of flows that are associated with the offense.
QRadar.Offense.FollowUpbooleanOffense followup.
QRadar.Offense.OffenseTypestringA number that represents the offense type
QRadar.Offense.ProtectedbooleanIs the offense protected

Command Example

!qradar-offense-by-id offense_id=450

Context Example

{
"QRadar": {
"Offense": {
"Categories": [
"Firewall Session Closed",
"Host Port Scan"
],
"Credibility": 3,
"Description": "Outbound port scan\n",
"DestinationAddress": [
"8.8.8.8
],
"DestinationHostname": [
"Net-10-172-192.Net_10_0_0_0"
],
"EventCount": 5,
"FlowCount": 0,
"Followup": false,
"ID": 450,
"LastUpdatedTime": "2020-07-22T14:45:39.082000Z",
"Magnitude": 2,
"OffenseSource": "8.8.8.8,
"OffenseType": "Source IP",
"Protected": false,
"Relevance": 0,
"RemoteDestinationCount": 0,
"Severity": 5,
"SourceAddress": [
"8.8.8.8
],
"StartTime": "2020-07-22T14:40:43.870000Z",
"Status": "OPEN"
}
}
}

Human Readable Output

QRadar Offenses

CategoriesCredibilityDescriptionDestinationAddressDestinationHostnameEventCountFlowCountFollowupIDLastUpdatedTimeMagnitudeOffenseSourceOffenseTypeProtectedRelevanceRemoteDestinationCountSeveritySourceAddressStartTimeStatus
Firewall Session Closed,
Host Port Scan
3Outbound port scan
8.8.8.8Net-10-172-192.Net_10_0_0_050false4502020-07-22T14:45:39.082000Z28.8.8.8Source IPfalse0058.8.8.82020-07-22T14:40:43.870000ZOPEN

qradar-searches


Searches in QRadar using AQL. It is highly recommended to use the playbook 'QRadarFullSearch' instead of this command - it will execute the search, and will return the result.

Base Command

qradar-searches

Input

Argument NameDescriptionRequired
query_expressionThe query expressions in AQL (for more information about Ariel Query Language please review "https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.0/com.ibm.qradar.doc/c_aql_intro.html")Required
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional

Context Output

PathTypeDescription
QRadar.Search.IDnumberSearch ID
QRadar.Search.StatusstringThe status of the search.

Command Example

!qradar-searches query_expression="SELECT sourceip AS 'MY Source IPs' FROM events"

Context Example

{
"QRadar": {
"Search": {
"ID": "ddd8ef78-4bff-4453-ab10-24f0fe1fa763",
"Status": "WAIT"
}
}
}

Human Readable Output

QRadar Search

IDStatus
ddd8ef78-4bff-4453-ab10-24f0fe1fa763WAIT

qradar-get-search


Gets a specific search id and status

Base Command

qradar-get-search

Input

Argument NameDescriptionRequired
search_idThe search idRequired
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional

Context Output

PathTypeDescription
QRadar.Search.IDnumberSearch ID
QRadar.Search.StatusstringThe status of the search.

Command Example

!qradar-get-search search_id=6212b614-074e-41c1-8fcf-1492834576b8

Context Example

{
"QRadar": {
"Search": {
"ID": "6212b614-074e-41c1-8fcf-1492834576b8",
"Status": "COMPLETED"
}
}
}

Human Readable Output

QRadar Search Info

IDStatus
6212b614-074e-41c1-8fcf-1492834576b8COMPLETED

qradar-get-search-results


Gets search results

Base Command

qradar-get-search-results

Input

Argument NameDescriptionRequired
search_idThe search idRequired
rangeRange of results to return. e.g.: 0-20Optional
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional
output_pathReplaces the default context output path for the query result (QRadar.Search.Result). e.g. for output_path=QRadar.Correlations the result will be under the key "QRadar.Correlations" in the context data.Optional

Context Output

PathTypeDescription
QRadar.Search.ResultUnknownThe result of the search

Command Example

!qradar-get-search-results search_id=6212b614-074e-41c1-8fcf-1492834576b8

Context Example

{
"QRadar": {
"Search": {
"Result": {
"events": [
{
"MY Source IPs": "8.8.8.8
}
]
}
}
}
}

Human Readable Output

QRadar Search Results from events

MY Source IPs
8.8.8.8

qradar-update-offense


Update an offense

Base Command

qradar-update-offense

Input

Argument NameDescriptionRequired
offense_idThe ID of the offense to updateRequired
protectedSet to true to protect the offenseOptional
follow_upSet to true to set the follow up flag on the offenseOptional
statusThe new status for the offenseOptional
closing_reason_idThe id of a closing reason. You must provide a valid closing_reason_name when you close an offense. The default closing_reasons are: (1) False-Positive, Tuned (2) Non-Issues (3) Policy ViolationOptional
closing_reason_nameThe name of a closing reason. You must provide a valid closing_reason_name when you close an offense. The default closing_reasons are: (1) False-Positive, Tuned (2) Non-Issues (3) Policy ViolationOptional
assigned_toA user to assign the offense toOptional
fieldsUse this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. Please consult - https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-POST.htmlOptional

Context Output

PathTypeDescription
QRadar.Offense.CredibilitynumberThe credibility of the offense
QRadar.Offense.RelevancenumberThe relevance of the offense
QRadar.Offense.SeveritynumberThe severity of the offense
QRadar.Offense.SourceAddressUnknownThe source addresses that are associated with the offense.
QRadar.Offense.DestinationAddressUnknownThe destination addresses that are associated with the offense.
QRadar.Offense.AssignedTostringThe user the offense is assigned to.
QRadar.Offense.StartTimedateThe time (ISO) when the offense was started.
QRadar.Offense.IDintThe ID of the offense.
QRadar.Offense.DestinationHostnameUnknownDestintion hostname
QRadar.Offense.DescriptionstringThe description of the offense.
QRadar.Offense.EventCountnumberThe number of events that are associated with the offense.
QRadar.Offense.OffenseSourcestringThe source of the offense.
QRadar.Offense.StatusstringThe status of the offense. One of "OPEN", "HIDDEN", or "CLOSED".
QRadar.Offense.MagnitudenumberThe magnitude of the offense.
QRadar.Offense.ClosingUserstringThe user that closed the offense
QRadar.Offense.ClosingReasonstringThe offense closing reason.
QRadar.Offense.CloseTimedateThe time when the offense was closed.
QRadar.Offense.LastUpdatedTimedateThe time (ISO) when the offense was last updated.
QRadar.Offense.CategoriesUnknownEvent categories that are associated with the offense.
QRadar.Offense.FlowCountnumberThe number of flows that are associated with the offense.
QRadar.Offense.FollowUpbooleanOffense followup.
QRadar.Offense.OffenseTypestringA number that represents the offense type
QRadar.Offense.ProtectedbooleanIs the offense protected

Command Example

!qradar-update-offense offense_id=450 protected=false

Context Example

{
"QRadar": {
"Offense": {
"Categories": [
"Firewall Session Closed",
"Host Port Scan"
],
"Credibility": 3,
"Description": "Outbound port scan\n",
"DestinationAddress": [
"8.8.8.8
],
"DestinationHostname": [
"Net-10-172-192.Net_10_0_0_0"
],
"EventCount": 5,
"FlowCount": 0,
"Followup": false,
"ID": 450,
"LastUpdatedTime": "2020-07-22T14:45:39.082000Z",
"Magnitude": 2,
"OffenseSource": "8.8.8.8,
"OffenseType": "Source IP",
"Protected": false,
"Relevance": 0,
"RemoteDestinationCount": 0,
"Severity": 5,
"SourceAddress": [
"8.8.8.8
],
"StartTime": "2020-07-22T14:40:43.870000Z",
"Status": "OPEN"
}
}
}

Human Readable Output

QRadar Offense

CategoriesCredibilityDescriptionDestinationAddressDestinationHostnameEventCountFlowCountFollowupIDLastUpdatedTimeMagnitudeOffenseSourceOffenseTypeProtectedRelevanceRemoteDestinationCountSeveritySourceAddressStartTimeStatus
Firewall Session Closed,
Host Port Scan
3Outbound port scan
8.8.8.8Net-10-172-192.Net_10_0_0_050false4502020-07-22T14:45:39.082000Z28.8.8.8Source IPfalse0058.8.8.82020-07-22T14:40:43.870000ZOPEN

qradar-get-assets


List all assets found in the model

Base Command

qradar-get-assets

Input

Argument NameDescriptionRequired
filterQuery to filter assets. For refernce please consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.htmlOptional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--asset_model-assets-GET.htmlOptional
rangeRange of results to return. e.g.: 0-20Optional
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional

Context Output

PathTypeDescription
QRadar.Assets.IDnumberThe ID of the asset
Endpoint.IPAddressUnknownIP address of the asset
QRadar.Assets.Name.ValuestringName of the asset
Endpoint.OSnumberAsset OS
QRadar.Assets.AggregatedCVSSScore.ValuenumberCVSSScore
QRadar.Assets.AggregatedCVSSScore.LastUserstringLast user who updated the Aggregated CVSS Score
QRadar.Assets.Weight.ValuenumberAsset weight
QRadar.Assets.Weight.LastUserstringLast user who updated the weight
QRadar.Assets.Name.LastUserstringLast user who updated the name

Command Example

!qradar-get-assets range=0-1

Context Example

{
"Endpoint": {
"IPAddress": [
"8.8.8.8,
"8.8.8.8
]
},
"QRadar": {
"Asset": [
{
"ID": 1914,
"Name": {
"LastUser": "IDENTITY:0",
"Property Name": "Name",
"Value": "ec2-54-245-171-52.us-west-2.compute.amazonaws.com"
}
},
{
"ID": 1928,
"Name": {
"LastUser": "IDENTITY:0",
"Property Name": "Name",
"Value": "ec2-44-234-115-112.us-west-2.compute.amazonaws.com"
}
}
]
}
}

Human Readable Output

QRadar Assets

Asset(ID:1914)

LastUserProperty NameValue
IDENTITY:0Nameec2-54-245-171-52.us-west-2.compute.amazonaws.com

Asset(ID:1928)

LastUserProperty NameValue
IDENTITY:0Nameec2-44-234-115-112.us-west-2.compute.amazonaws.com

Endpoint

IPAddress
8.8.8.8
8.8.8.8

qradar-get-asset-by-id


Retrieves the asset by id

Base Command

qradar-get-asset-by-id

Input

Argument NameDescriptionRequired
asset_idThe ID of the requested asset.Required

Context Output

PathTypeDescription
QRadar.Assets.IDnumberThe ID of the asset.
Endpoint.MACAddressUnknownAsset MAC address.
Endpoint.IPAddressUnknownIt's in ip_addresses - value
QRadar.Assets.ComplianceNotes.ValuestringCompliance notes
QRadar.Assets.CompliancePlan.ValuestringCompliance plan
QRadar.Assets.CollateralDamagePotential.ValueUnknownCollateral damage potential
QRadar.Assets.AggregatedCVSSScore.ValuenumberCVSSScore
QRadar.Assets.Name.ValuestringName of the asset
QRadar.Assets.GroupNamestringName of the asset's group
Endpoint.DomainUnknownDNS name
Endpoint.OSUnknownAsset OS
QRadar.Assets.Weight.ValuenumberAsset weight
QRadar.Assets.Vulnerabilities.ValueUnknownVulnerabilities
QRadar.Assets.LocationstringLocation.
QRadar.Assets.DescriptionstringThe asset description.
QRadar.Assets.SwitchIDnumberSwitch ID
QRadar.Assets.SwitchPortnumberSwitch port.
QRadar.Assets.Name.LastUserstringLast user who updated the name
QRadar.Assets.AggregatedCVSSScore.LastUserstringLast user who updated the Aggregated CVSS Score
QRadar.Assets.Weight.LastUserstringLast user who updated the weight
QRadar.Assets.ComplianceNotes.LastUserstringLast user who updated the compliance notes
QRadar.Assets.CompliancePlan.LastUserstringLast user who updated the compliance plan
QRadar.Assets.CollateralDamagePotential.LastUserstringLast user who updated the collateral damage potential
QRadar.Assets.Vulnerabilities.LastUserstringLast user who updated the vulnerabilities

Command Example

!qradar-get-asset-by-id asset_id=1928

Context Example

{
"Endpoint": {
"IPAddress": [
"8.8.8.8
],
"MACAddress": [
"Unknown NIC"
]
},
"QRadar": {
"Asset": {
"ID": 1928,
"Name": {
"LastUser": "IDENTITY:0",
"Property Name": "Name",
"Value": "ec2-44-234-115-112.us-west-2.compute.amazonaws.com"
}
}
}
}

Human Readable Output

QRadar Asset

Asset(ID:1928)

LastUserProperty NameValue
IDENTITY:0Nameec2-44-234-115-112.us-west-2.compute.amazonaws.com

Endpoint

IPAddressMACAddress
8.8.8.8Unknown NIC

qradar-get-closing-reasons


Get closing reasons

Base Command

qradar-get-closing-reasons

Input

Argument NameDescriptionRequired
include_reservedIf true, reserved closing reasons are included in the responseOptional
include_deletedIf true, deleted closing reasons are included in the responseOptional
filterQuery to filter results. For refernce please consult: https://www.ibm.com/support/knowledgecenter/en/SS42VS_7.3.1/com.ibm.qradar.doc/c_rest_api_filtering.htmlOptional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offense_closing_reasons-GET.htmlOptional
rangeRange of results to return. e.g.: 0-20Optional

Context Output

PathTypeDescription
QRadar.Offense.ClosingReasons.IDnumberClosing reason ID
QRadar.Offense.ClosingReasons.NamestringClosing reason name

Command Example

!qradar-get-closing-reasons include_reserved=false

Context Example

{
"QRadar": {
"Offense": {
"ClosingReasons": [
{
"ID": 2,
"IsDeleted": false,
"IsReserved": false,
"Name": "False-Positive, Tuned"
},
{
"ID": 1,
"IsDeleted": false,
"IsReserved": false,
"Name": "Non-Issue"
},
{
"ID": 3,
"IsDeleted": false,
"IsReserved": false,
"Name": "Policy Violation"
}
]
}
}
}

Human Readable Output

Offense Closing Reasons

IDNameIsReservedIsDeleted
2False-Positive, Tunedfalsefalse
1Non-Issuefalsefalse
3Policy Violationfalsefalse

qradar-create-note


Create a note on an offense

Base Command

qradar-create-note

Input

Argument NameDescriptionRequired
offense_idThe offense ID to add the note toRequired
note_textThe note textRequired
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-POST.htmlOptional
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional

Context Output

PathTypeDescription
QRadar.Note.IDnumberNote ID
QRadar.Note.TextstringNote text
QRadar.Note.CreateTimedateThe creation time of the note
QRadar.Note.CreatedBystringThe user who created the note

Command Example

!qradar-create-note offense_id=450 note_text="XSOAR has the best documentation!"

Context Example

{
"QRadar": {
"Note": {
"CreateTime": "2020-09-02T08:12:47.314000Z",
"CreatedBy": "API_user: admin",
"ID": 1238,
"Text": "XSOAR has the best documentation!"
}
}
}

Human Readable Output

QRadar Note

CreateTimeCreatedByIDText
2020-09-02T08:12:47.314000ZAPI_user: admin1238XSOAR has the best documentation!

qradar-get-note


Retrieve a note for an offense

Base Command

qradar-get-note

Input

Argument NameDescriptionRequired
offense_idThe offense ID to retrieve the note fromRequired
note_idThe note IDOptional
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-note_id-GET.htmlOptional
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional

Context Output

PathTypeDescription
QRadar.Note.IDnumberNote ID
QRadar.Note.TextstringNote text
QRadar.Note.CreateTimedateThe creation time of the note
QRadar.Note.CreatedBystringThe user who created the note

Command Example

!qradar-get-note offense_id=450 note_id=1232

Context Example

{
"QRadar": {
"Note": {
"CreateTime": "2020-09-02T06:39:24.601000Z",
"CreatedBy": "API_user: admin",
"ID": 1232,
"Text": "XSOAR has the best documentation!"
}
}
}

Human Readable Output

QRadar note for offense: 450

CreateTimeCreatedByIDText
2020-09-02T06:39:24.601000ZAPI_user: admin1232XSOAR has the best documentation!

qradar-get-reference-by-name


Information about the reference set that had data added or updated. This returns information set but not the contained data. This feature is supported from version 8.1 and upward.

Base Command

qradar-get-reference-by-name

Input

Argument NameDescriptionRequired
ref_nameThe name of the requestered reference.Required
headersTable headers to use the human readable output (if none provided, will show all table headers)Optional
date_valueIf set to true will try to convert the data values to ISO-8601 string.Optional

Context Output

PathTypeDescription
QRadar.Reference.NamestringThe name of the reference set.
QRadar.Reference.CreationTimedateThe creation time (ISO) of the reference.
QRadar.Reference.ElementTypestringReference element type.
QRadar.Reference.NumberOfElementsnumberNumber of elements.
QRadar.Reference.TimeToLivestringReference time to live.
QRadar.Reference.TimeoutTypestringReference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN
QRadar.Reference.DataUnknownReference set items

Command Example

!qradar-get-reference-by-name ref_name=Date date_value=True

Context Example

{
"QRadar": {
"Reference": {
"CreationTime": "2020-09-02T08:12:49.020000Z",
"ElementType": "DATE",
"Name": "Date",
"NumberOfElements": 0,
"TimeoutType": "UNKNOWN"
}
}
}

Human Readable Output

QRadar References

CreationTimeElementTypeNameNumberOfElementsTimeoutType
2020-09-02T08:12:49.020000ZDATEDate0UNKNOWN

qradar-create-reference-set


Creates a new reference set. If the provided name is already in use, this command will fail

Base Command

qradar-create-reference-set

Input

Argument NameDescriptionRequired
ref_nameReference name to be createdRequired
element_typeThe element type for the values allowed in the reference set. The allowed values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE. Note that date values need to be represented in milliseconds since the Unix Epoch January 1st 1970.Required
timeout_typeThe allowed values are "FIRST_SEEN", LAST_SEEN and UNKNOWN. The default value is UNKNOWN.Optional
time_to_liveThe time to live interval, for example: "1 month" or "5 minutes"Optional

Context Output

PathTypeDescription
QRadar.Reference.CreationTimedateCreation time of the reference set.
QRadar.Reference.ElementTypestringThe element type for the values allowed in the reference set. The allowed values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE.
QRadar.Reference.NamestringName of the reference set.
QRadar.Reference.NumberOfElementsnumberNumber of elements in the created reference set.
QRadar.Reference.TimeoutTypestringTimeout type of the reference. The allowed values are FIRST_SEEN, LAST_SEEN and UNKNOWN.

Command Example

!qradar-create-reference-set ref_name=Date element_type=DATE

Context Example

{
"QRadar": {
"Reference": {
"CreationTime": "2020-09-02T08:12:49.020000Z",
"ElementType": "DATE",
"Name": "Date",
"NumberOfElements": 0,
"TimeoutType": "UNKNOWN"
}
}
}

Human Readable Output

QRadar References

CreationTimeElementTypeNameNumberOfElementsTimeoutType
2020-09-02T08:12:49.020000ZDATEDate0UNKNOWN

qradar-delete-reference-set


Deletes a reference set corresponding to the name provided.

Base Command

qradar-delete-reference-set

Input

Argument NameDescriptionRequired
ref_nameThe name of reference set to delete.Required

Context Output

There is no context output for this command.

Command Example

!qradar-delete-reference-set ref_name=Date

Context Example

{}

Human Readable Output

Reference Data Deletion Task for 'Date' was initiated. Reference set 'Date' should be deleted shortly.

qradar-create-reference-set-value


Add or update a value in a reference set.

Base Command

qradar-create-reference-set-value

Input

Argument NameDescriptionRequired
ref_nameThe name of the reference set to add or update a value in.Required
valueThe value/s to add or update in the reference set. Note: Date values must be represented in epoch in reference sets (milliseconds since the Unix Epoch January 1st 1970). If 'date_value' is set to 'True', then the argument will be converted from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch.Required
sourceAn indication of where the data originated. The default value is 'reference data api'.Optional
date_valueIf set to True will convert 'value' argument from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch.Optional

Context Output

PathTypeDescription
QRadar.Reference.NamestringThe name of the reference set.
QRadar.Reference.CreationTimedateThe creation time (ISO) of the reference.
QRadar.Reference.ElementTypestringReference element type.
QRadar.Reference.NumberOfElementsnumberNumber of elements.
QRadar.Reference.TimeoutTypestringReference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN

Command Example

!qradar-create-reference-set-value ref_name=Date value=2018-11-27T11:34:23.110000Z date_value=True

Context Example

{
"QRadar": {
"Reference": {
"CreationTime": "2020-09-02T08:12:49.020000Z",
"ElementType": "DATE",
"Name": "Date",
"NumberOfElements": 1,
"TimeoutType": "UNKNOWN"
}
}
}

Human Readable Output

Element value was updated successfully in reference set:

CreationTimeElementTypeNameNumberOfElementsTimeoutType
2020-09-02T08:12:49.020000ZDATEDate1UNKNOWN

qradar-update-reference-set-value


Adds or updates a value in a reference set.

Base Command

qradar-update-reference-set-value

Input

Argument NameDescriptionRequired
ref_nameThe name of the reference set to add or update a value in.Required
valueA comma-separated list of values to add or update in the reference set. Date values must be represented in milliseconds since the Unix Epoch January 1st 1970.Required
sourceAn indication of where the data originated. The default value is 'reference data api'.Optional
date_valueIf set to True will convert 'value' argument from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch.Optional

Context Output

PathTypeDescription
QRadar.Reference.NamestringThe name of the reference set.
QRadar.Reference.CreationTimedateThe creation time (ISO) of the reference.
QRadar.Reference.ElementTypestringReference element type.
QRadar.Reference.NumberOfElementsnumberNumber of elements.
QRadar.Reference.TimeoutTypestringReference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN

Command Example

!qradar-update-reference-set-value ref_name="Documentation Reference" value="Important information" source="Documentation"

Context Example

{
"QRadar": {
"Reference": {
"CreationTime": "2020-09-02T06:45:52.294000Z",
"ElementType": "ALNIC",
"Name": "Documentation Reference",
"NumberOfElements": 1,
"TimeoutType": "UNKNOWN"
}
}
}

Human Readable Output

Element value was updated successfully in reference set:

CreationTimeElementTypeNameNumberOfElementsTimeoutType
2020-09-02T06:45:52.294000ZALNICDocumentation Reference1UNKNOWN

qradar-delete-reference-set-value


Deletes a value in a reference set.

Base Command

qradar-delete-reference-set-value

Input

Argument NameDescriptionRequired
ref_nameThe name of the reference set to remove a value from.Required
valueThe value to remove from the reference set.Required
date_valueIf set to True will convert 'value' argument from date in format: '%Y-%m-%dT%H:%M:%S.%f000Z' (e.g. '2018-11-06T08:56:41.000000Z') to epoch.Optional

Context Output

PathTypeDescription
QRadar.Reference.NamestringThe name of the reference set.
QRadar.Reference.CreationTimedateThe creation time (ISO) of the reference.
QRadar.Reference.ElementTypestringReference element type.
QRadar.Reference.NumberOfElementsnumberNumber of elements.
QRadar.Reference.TimeoutTypestringReference timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN

Command Example

!qradar-delete-reference-set-value ref_name=Date value=1543318463000

Context Example

{
"QRadar": {
"Reference": {
"CreationTime": "2020-09-02T08:12:49.020000Z",
"ElementType": "DATE",
"Name": "Date",
"NumberOfElements": 0,
"TimeoutType": "UNKNOWN"
}
}
}

Human Readable Output

Element value was deleted successfully in reference set:

CreationTimeElementTypeNameNumberOfElementsTimeoutType
2020-09-02T08:12:49.020000ZDATEDate0UNKNOWN

qradar-get-domains


Retrieve all Domains

Base Command

qradar-get-domains

Input

Argument NameDescriptionRequired
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-note_id-GET.htmlOptional
rangeNumber of results in returnOptional
filterQuery to filter offensesOptional

Context Output

PathTypeDescription
QRadar.Domains.AssetScannerIDsNumberArray of Asset Scanner IDs.
QRadar.Domains.CustomPropertiesStringCustom properties of the domain.
QRadar.Domains.DeletedBooleanIndicates if the domain is deleted.
QRadar.Domains.DescriptionStringDescription of the domain.
QRadar.Domains.EventCollectorIDsNumberArray of Event Collector IDs.
QRadar.Domains.FlowCollectorIDsNumberArray of Flow Collector IDs.
QRadar.Domains.FlowSourceIDsNumberArray of Flow Source IDs.
QRadar.Domains.IDNumberID of the domain.
QRadar.Domains.LogSourceGroupIDsNumberArray of Log Source Group IDs.
QRadar.Domains.LogSourceIDsNumberArray of Log Source IDs.
QRadar.Domains.NameStringName of the Domain.
QRadar.Domains.QVMScannerIDsNumberArray of QVM Scanner IDs.
QRadar.Domains.TenantIDNumberID of the Domain tenant.

Command Example

!qradar-get-domains

Context Example

{
"QRadar": {
"Domains": [
{
"Deleted": false,
"ID": 0,
"TenantID": 0
},
{
"Deleted": true,
"ID": 1,
"Name": "QRadarWhiteListIP",
"TenantID": 0
}
]
}
}

Human Readable Output

Domains Found

AssetScannerIDsCustomPropertiesDeletedDescriptionEventCollectorIDsFlowCollectorIDsFlowSourceIDsIDLogSourceGroupIDsLogSourceIDsNameQVMScannerIDsTenantID
false00
true1QRadarWhiteListIP0

qradar-get-domain-by-id


Retrieves Domain information By ID

Base Command

qradar-get-domain-by-id

Input

Argument NameDescriptionRequired
idID of the domainRequired
fieldsIf used, will filter all fields except for the specified ones. Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. The filter uses QRadar's field names, for reference please consult: https://www.ibm.com/support/knowledgecenter/SSKMKU/com.ibm.qradar.doc_cloud/9.1--siem-offenses-offense_id-notes-note_id-GET.htmlOptional

Context Output

PathTypeDescription
QRadar.Domains.AssetScannerIDsNumberArray of Asset Scanner IDs.
QRadar.Domains.CustomPropertiesStringCustom properties of the domain.
QRadar.Domains.DeletedBooleanIndicates if the domain is deleted.
QRadar.Domains.DescriptionStringDescription of the domain.
QRadar.Domains.EventCollectorIDsNumberArray of Event Collector IDs.
QRadar.Domains.FlowCollectorIDsNumberArray of Flow Collector IDs.
QRadar.Domains.FlowSourceIDsNumberArray of Flow Source IDs.
QRadar.Domains.IDNumberID of the domain.
QRadar.Domains.LogSourceGroupIDsNumberArray of Log Source Group IDs.
QRadar.Domains.LogSourceIDsNumberArray of Log Source IDs.
QRadar.Domains.NameStringName of the Domain.
QRadar.Domains.QVMScannerIDsNumberArray of QVM Scanner IDs.
QRadar.Domains.TenantIDNumberID of the Domain tenant.

Command Example

!qradar-get-domain-by-id id=0

Context Example

{
"QRadar": {
"Domains": {
"Deleted": false,
"ID": 0,
"TenantID": 0
}
}
}

Human Readable Output

Domains Found

DeletedIDTenantID
false00

qradar-upload-indicators


Uploads indicators from Demisto to Qradar.

Base Command

qradar-upload-indicators

Input

Argument NameDescriptionRequired
ref_nameThe name of the reference set to add or update a value in. To create a new reference set, you need to set the element type.Required
element_typeThe element type for the values premitted in the reference set. Only required when creating a new reference set. The valid values are: ALN (alphanumeric), ALNIC (alphanumeric ignore case), IP (IP address), NUM (numeric), PORT (port number) or DATE. Note that date values need to be represented in milliseconds since the Unix Epoch January 1st 1970.Optional
timeout_typeThe timeout_type can be "FIRST_SEEN", "LAST_SEEN", or "UNKNOWN". The default value is UNKNOWN. Only required for creating a new refernce set.Optional
time_to_liveThe time to live interval, for example: "1 month" or "5 minutes". Only required when creating a new reference set.Optional
queryThe query for getting indicators.Required
limitThe maximum number of indicators to return. The default value is 1000.Optional
pageThe page from which to get the indicatorsOptional

Context Output

There is no context output for this command.

Command Example

!qradar-upload-indicators query=type:IP ref_name="XSOAR IP Indicators"

Context Example

{}

Human Readable Output

reference set XSOAR IP Indicators was updated

NameElementTypeTimeoutTypeCreationTimeNumberOfElements
XSOAR IP IndicatorsALNICUNKNOWN2020-09-02T06:59:41.266000Z276

Indicators list

ValueType
8.8.8.8IP

qradar-reset-last-run


Reset fetch incidents last run value, which resets the fetch to its initial fetch state (will try to fetch first available offense).

Base Command

qradar-reset-last-run

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

Command Example

!qradar-reset-last-run

Context Example

{}

Human Readable Output

fetch-incidents was reset successfully.

get-mapping-fields


Returns the list of fields for an incident type. This command is for debugging purposes.

Base Command

get-mapping-fields

Input

There are no input arguments for this command.

Context Output

There is no context output for this command.

qradar-get-custom-properties


Retrieves a list of event regex properties.

Base Command

qradar-get-custom-properties

Input

Argument NameDescriptionRequired
limitThe maximum number of regex event properties to fetch. Default is 25.Optional
field_nameA comma-separated list of names of exact properties to search for.Optional
fieldsA comma-separated list of fields that specifies the fields returned by the command output. When not given, will return all. Options are identifier, name, id, locale, datetime_format, description, username, property_type, auto_discovered, use_for_rule_engine.Optional
like_nameA comma-separated names of a properties to search for. Case insensitive.Optional
filterThis parameter is used to restrict the elements in a list base on the contents of various fields.Optional

Context Output

PathTypeDescription
QRadar.Properties.auto_discoveredNumberThe flag to indicate if the event regex property is generated by custom properties discovery engine.
QRadar.Properties.creation_dateDateThe date when the event regex property was created.
QRadar.Properties.datetime_formatStringThe date/time pattern that the event regex property matches.
QRadar.Properties.descriptionStringThe description of the event regex property.
QRadar.Properties.idNumberThe sequence ID of the event regex property.
QRadar.Properties.identifierStringThe ID of the event regex property.
QRadar.Properties.localeStringThe language tag of the locale that the Property matches.
QRadar.Properties.modification_dateDateThe date when the event regex property was last modified.
QRadar.Properties.nameStringThe name of the event regex property.
QRadar.Properties.property_typeStringThe property type (STRING, NUMERIC, IP, PORT, TIME) of event regex property.
QRadar.Properties.use_for_rule_engineNumberThe flag to indicate if the event regex property is parsed when the event is received.
QRadar.Properties.usernameStringThe owner of the event regex property.

Command Example

!qradar-get-custom-properties field_name="AVT-App-Name" like_name="rule" limit=2

Context Example

{
"QRadar": {
"Properties": [
{
"auto_discovered": false,
"creation_date": "2012-07-04 17:05:02",
"datetime_format": null,
"description": "",
"id": 213,
"identifier": "DEFAULT_ACF2_RULE_KEY",
"locale": null,
"modification_date": "2012-07-04 17:05:02",
"name": "ACF2 rule key",
"property_type": "string",
"use_for_rule_engine": true,
"username": "admin"
},
{
"auto_discovered": false,
"creation_date": "2012-07-04 17:05:02",
"datetime_format": null,
"description": "Rule name why Parity Agent blocked an access to a file.",
"id": 222,
"identifier": "DEFAULT_RULE_NAME",
"locale": null,
"modification_date": "2012-07-04 17:05:02",
"name": "Rule Name",
"property_type": "string",
"use_for_rule_engine": true,
"username": "admin"
}
]
}
}

Human Readable Output

QRadar: Custom Properties:

auto_discoveredcreation_datedescriptionididentifiermodification_datenameproperty_typeuse_for_rule_engineusername
false2012-07-04 17:05:02213DEFAULT_ACF2_RULE_KEY2012-07-04 17:05:02ACF2 rule keystringtrueadmin
false2012-07-04 17:05:02Rule name why Parity Agent blocked an access to a file.222DEFAULT_RULE_NAME2012-07-04 17:05:02Rule Namestringtrueadmin