IBM QRadar

Hi, there is no native way to do this but there are several workarounds using the API.

The Qradar API allows you to extract offenses, log sources (quantity/status), domains, tennats, rules (use case manager app) and most importantly, perform searches based on AQL which gives you the freedom to do whatever you like.

To implement this you need a API token in authorized services.

A possible flow would be something similar to this

Step 1: Definition of what information do you need?
Step 2: Determine how to extract them, example:
a- If you need offenses you just have to go to /siem/offenses and you can also use filters like ?filter=status%3Dopen
b- If you need to create a search you must enter the AQL in /ariel/searches and then get the results in /ariel/searches/id

Step 3: Store the data in a database
Step 4: Plot the data with PowerBi

A few months ago I made this post where I explain the possibilities a bit more using python but unfortunately for privacy reasons I had to remove the script from github. But the idea is there and I think it can guide to achieve the purpose.

https://community.ibm.com/community/user/security/discussion/python-script-to-save-offenses-to-csvdb-file-and-monitoring-for-new-ones-for-data-analytics#bma4308591-f4dd-4e7c-930e-f9f3cd592b27

Hi carols,

Thanks for your response.

Hi, there is no native way to do this but there are several workarounds using the API.

The Qradar API allows you to extract offenses, log sources (quantity/status), domains, tennats, rules (use case manager app) and most importantly, perform searches based on AQL which gives you the freedom to do whatever you like.

To implement this you need a API token in authorized services.

A possible flow would be something similar to this

Step 1: Definition of what information do you need?
Step 2: Determine how to extract them, example:
a- If you need offenses you just have to go to /siem/offenses and you can also use filters like ?filter=status%3Dopen
b- If you need to create a search you must enter the AQL in /ariel/searches and then get the results in /ariel/searches/id

Step 3: Store the data in a database
Step 4: Plot the data with PowerBi

A few months ago I made this post where I explain the possibilities a bit more using python but unfortunately for privacy reasons I had to remove the script from github. But the idea is there and I think it can guide to achieve the purpose.

https://community.ibm.com/community/user/security/discussion/python-script-to-save-offenses-to-csvdb-file-and-monitoring-for-new-ones-for-data-analytics#bma4308591-f4dd-4e7c-930e-f9f3cd592b27

Not sure if you've seen this already and if it could help - quite a while ago an example how to use the AQL and pull the data from QRadar into an Excel workbook was posted on github < https://github.com/ibm-security-intelligence/visualizations/tree/master/excel >

Hi carols,

Thanks for your response.

Hi, there is no native way to do this but there are several workarounds using the API.

The Qradar API allows you to extract offenses, log sources (quantity/status), domains, tennats, rules (use case manager app) and most importantly, perform searches based on AQL which gives you the freedom to do whatever you like.

To implement this you need a API token in authorized services.

A possible flow would be something similar to this

Step 1: Definition of what information do you need?
Step 2: Determine how to extract them, example:
a- If you need offenses you just have to go to /siem/offenses and you can also use filters like ?filter=status%3Dopen
b- If you need to create a search you must enter the AQL in /ariel/searches and then get the results in /ariel/searches/id

Step 3: Store the data in a database
Step 4: Plot the data with PowerBi

A few months ago I made this post where I explain the possibilities a bit more using python but unfortunately for privacy reasons I had to remove the script from github. But the idea is there and I think it can guide to achieve the purpose.

https://community.ibm.com/community/user/security/discussion/python-script-to-save-offenses-to-csvdb-file-and-monitoring-for-new-ones-for-data-analytics#bma4308591-f4dd-4e7c-930e-f9f3cd592b27

Hi Dusan,

Thanks for your response.

i saw this excel and configure it with my qradar but it didn't give me any results, are you use it before?. 

Not sure if you've seen this already and if it could help - quite a while ago an example how to use the AQL and pull the data from QRadar into an Excel workbook was posted on github < https://github.com/ibm-security-intelligence/visualizations/tree/master/excel >

Hi carols,

Thanks for your response.

Hi, there is no native way to do this but there are several workarounds using the API.

The Qradar API allows you to extract offenses, log sources (quantity/status), domains, tennats, rules (use case manager app) and most importantly, perform searches based on AQL which gives you the freedom to do whatever you like.

To implement this you need a API token in authorized services.

A possible flow would be something similar to this

Step 1: Definition of what information do you need?
Step 2: Determine how to extract them, example:
a- If you need offenses you just have to go to /siem/offenses and you can also use filters like ?filter=status%3Dopen
b- If you need to create a search you must enter the AQL in /ariel/searches and then get the results in /ariel/searches/id

Step 3: Store the data in a database
Step 4: Plot the data with PowerBi

A few months ago I made this post where I explain the possibilities a bit more using python but unfortunately for privacy reasons I had to remove the script from github. But the idea is there and I think it can guide to achieve the purpose.

https://community.ibm.com/community/user/security/discussion/python-script-to-save-offenses-to-csvdb-file-and-monitoring-for-new-ones-for-data-analytics#bma4308591-f4dd-4e7c-930e-f9f3cd592b27

I tried it in my lab (though quite some time ago)  and it worked.

Hi Dusan,

Thanks for your response.

i saw this excel and configure it with my qradar but it didn't give me any results, are you use it before?. 

Not sure if you've seen this already and if it could help - quite a while ago an example how to use the AQL and pull the data from QRadar into an Excel workbook was posted on github < https://github.com/ibm-security-intelligence/visualizations/tree/master/excel >

Hi carols,

Thanks for your response.

Hi, there is no native way to do this but there are several workarounds using the API.

The Qradar API allows you to extract offenses, log sources (quantity/status), domains, tennats, rules (use case manager app) and most importantly, perform searches based on AQL which gives you the freedom to do whatever you like.

To implement this you need a API token in authorized services.

A possible flow would be something similar to this

Step 1: Definition of what information do you need?
Step 2: Determine how to extract them, example:
a- If you need offenses you just have to go to /siem/offenses and you can also use filters like ?filter=status%3Dopen
b- If you need to create a search you must enter the AQL in /ariel/searches and then get the results in /ariel/searches/id

Step 3: Store the data in a database
Step 4: Plot the data with PowerBi

A few months ago I made this post where I explain the possibilities a bit more using python but unfortunately for privacy reasons I had to remove the script from github. But the idea is there and I think it can guide to achieve the purpose.

https://community.ibm.com/community/user/security/discussion/python-script-to-save-offenses-to-csvdb-file-and-monitoring-for-new-ones-for-data-analytics#bma4308591-f4dd-4e7c-930e-f9f3cd592b27