Hello everyone, i have an question for using IBM QRadar API to get the detail event data from the Offense using API. The attachment is the step to get into the data i want to get using API, first of all we have to click one of the offense then click the event/flow count after that the pop up will show, then we edit search to add the Action-1 (custom) to the column and then search. Can i get the details data inside there using API? Whats the endpoint and the parameter to access inside there? Thank you

------------------------------
Albert Lius
------------------------------

Albert, thanks for your enquiry. The simple answer is - yes you can! Most of your questions can be answered by the API documentation which is a live test environment inside the Qradar GUI. All GUI functions you are referring to are documented in the documentation. However there are a few challenges you have to workaround in your own program. The parameters are well documented there. The endpoint is whatever you want to use. The easiest way is to use curl for a basic test environment. You have to save your offense search 1st in order to get the results in the API. Please check the screens supplied for details.

------------------------------
[Karl] [Jaeger] [#ibmchampion]
[QRadar Specialist]
------------------------------

Original Message:
Sent: Mon August 04, 2025 11:09 PM
From: Albert Lius
Subject: QRadar API - Get the Event Details data from the offenses using API

Hello everyone, i have an question for using IBM QRadar API to get the detail event data from the Offense using API. The attachment is the step to get into the data i want to get using API, first of all we have to click one of the offense then click the event/flow count after that the pop up will show, then we edit search to add the Action-1 (custom) to the column and then search. Can i get the details data inside there using API? Whats the endpoint and the parameter to access inside there? Thank you

------------------------------
Albert Lius
------------------------------

Hello Albert,

You'll need to consult the API documentation, specifically the /ariel/searches endpoint.

The workflow for what you want to do is roughly as follows:

1. POST an AQL query to /ariel/searches:
   

   SELECT *
   FROM events
   WHERE INOFFENSE(<id>)
   LIMIT <limit>
   times OFFENSE_TIME(<id>)

   • Replace <id> with the actual offense ID (as a number).
   • The WHERE and times clauses ensure you only retrieve events relevant to that offense and timeframe.
   • I recommend specifying a <limit> unless you're certain all your offenses have a low event count.

   The response will contain a JSON object describing the search. The key field to note is search_id, which uniquely identifies the search and is required to fetch the results

2. GET the search results from /ariel/searches/<search_id>/results:
   
   • Use the search_id returned in step 1.
   • The JSON response will include all offense events under the events field. 

Important: You can only retrieve results after the search has completed. If it's still running, the GET request will return a 404. You'll need to either:

• Implement a polling mechanism to check when results are ready, or

• Wait for a fixed amount of time before requesting results.

Additional notes:

• You can specify which event properties to return in the SELECT clause, but it's not always possible to know all available fields in advance.

• This can be inconvenient if the offense contains events from different log source types. The safest approach is to include every property you might need in the SELECT clause. If a particular event doesn't contain a property, its value will simply be NULL.

• Everything above applies equally to flows AQL searches as well.
  

------------------------------
Mykhailo Honcharov
------------------------------

Original Message:
Sent: Mon August 04, 2025 11:09 PM
From: Albert Lius
Subject: QRadar API - Get the Event Details data from the offenses using API

Hello everyone, i have an question for using IBM QRadar API to get the detail event data from the Offense using API. The attachment is the step to get into the data i want to get using API, first of all we have to click one of the offense then click the event/flow count after that the pop up will show, then we edit search to add the Action-1 (custom) to the column and then search. Can i get the details data inside there using API? Whats the endpoint and the parameter to access inside there? Thank you

------------------------------
Albert Lius
------------------------------