IBM QRadar

How can I use the ArielSearch API in QPYLib to query domains, URL and other related information. Currently, my api_version is v20.0, and the fields that can be queried are as follows:

/ariel/searches/{search_id}:

{
  "cursor_id": "35822d91-02aa-44b8-b1d3-603e909b961b",
  "status": "COMPLETED",
  "compressed_data_file_count": 0,
  "compressed_data_total_size": 0,
  "data_file_count": 0,
  "data_total_size": 0,
  "index_file_count": 60,
  "index_total_size": 491849,
  "processed_record_count": 0,
  "desired_retention_time_msec": 86400000,
  "progress": 100,
  "progress_details": [],
  "query_execution_time": 12,
  "query_string": "SELECT * FROM events WHERE logsourceid in (167) LIMIT 2000000 START ('2024-05-28 01:00') STOP ('2024-05-28 02:00')",
  "record_count": 0,
  "size_on_disk": 24,
  "save_results": false,
  "completed": true,
  "subsearch_ids": [],
  "snapshot": null,
  "search_id": "35822d91-02aa-44b8-b1d3-603e909b961b"
}

and the result api retured:

{
  "events": [
    {
      "starttime": 1716801297718,
      "protocolid": 255,
      "sourceip": "10.43.176.219",
      "logsourceid": 167,
      "qid": 1004750002,
      "sourceport": 0,
      "eventcount": 1,
      "magnitude": 6,
      "identityip": "0.0.0.0",
      "destinationip": "58.221.49.81",
      "destinationport": 80,
      "category": 19040,
      "username": null
    }]
}

In addition, I mapped the original log fields in the log source to the newly added DemoDomain field in DSM through the DSM editor.

I want to get the custom DemoDomain field by SDK ariel API. But the returned fields dont't contain DemoDomain field.  How can I do?

Liu

a few things to know. You have defined a demo domain. Thats excellent. For testing you should define a demo tenant as well cause domains and tenants have a relationship. For demo purpose you can use a 1:1 relationship but all other combinations are valid as well. Moreover your demo domain uses the form www.domain.tld. That may be some misunderstanding. You dont want to assigns domains to internet domains. Domains in QRadar are just container for logsources you have to assign. Eg you can assign all webdomains in europe to a domain called europe. On top of that you can define tenants to just see european events given the same name europe as well or assign two tenants to europe named south and north. I have included some screenshots from the api - latest version is 21 - to give you some more insight. After everything is defined correctly you can add (domain)id and tenant-id field to your queries. Note: no domain in front of domain-id! Just Id.

------------------------------
[Karl] [Jaeger] [#ibmchampion]
[QRadar Specialist]
[cnag]
[Siegen] [Germany]
------------------------------

{  "cursor_id": "35822d91-02aa-44b8-b1d3-603e909b961b",  "status": "COMPLETED",  "compressed_data_file_count": 0,  "compressed_data_total_size": 0,  "data_file_count": 0,  "data_total_size": 0,  "index_file_count": 60,  "index_total_size": 491849,  "processed_record_count": 0,  "desired_retention_time_msec": 86400000,  "progress": 100,  "progress_details": [],  "query_execution_time": 12,  "query_string": "SELECT * FROM events WHERE logsourceid in (167) LIMIT 2000000 START ('2024-05-28 01:00') STOP ('2024-05-28 02:00')",  "record_count": 0,  "size_on_disk": 24,  "save_results": false,  "completed": true,  "subsearch_ids": [],  "snapshot": null,  "search_id": "35822d91-02aa-44b8-b1d3-603e909b961b"}

{  "events": [    {      "starttime": 1716801297718,      "protocolid": 255,      "sourceip": "10.43.176.219",      "logsourceid": 167,      "qid": 1004750002,      "sourceport": 0,      "eventcount": 1,      "magnitude": 6,      "identityip": "0.0.0.0",      "destinationip": "58.221.49.81",      "destinationport": 80,      "category": 19040,      "username": null    }]
}