I'm looking to utilize the QRadar API for verifying that I'm receiving events from certain Source IPs. I think this should be fairly easy but I must be missing something. I've had a little bit of experience with Basic GETs but can't seem to nail this down. Anyone have any suggestions besides reading the API doc :)?

------------------------------
Justin Mann
------------------------------

The below is from Interactive API
First you  Start your search
curl -s -X POST -u USERNAME -H 'Version: 10.0' -H 'Accept: application/json' 'https://server/api/ariel/searches?query_expression=select%20*%20from%20events%20where%20sourceip%3D%278.8.8.8%27%20START%20PARSEDATETIME%28%271%20minute%20ago%27%29'

Then the response payload will contain the search id
{
"cursor_id": "d97dd9af-e33b-4878-91d6-cd5f7c742ff7",
"status": "WAIT",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 0,
"data_total_size": 0,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 0,
"desired_retention_time_msec": 86400000,
"progress": 0,
"progress_details": [],
"query_execution_time": 0,
"query_string": "select * from events where sourceip='8.8.8.8' START PARSEDATETIME('1 minute ago')",
"record_count": 0,
"size_on_disk": 0,
"save_results": false,
"completed": false,
"subsearch_ids": [],
"snapshot": null,
"search_id": "d97dd9af-e33b-4878-91d6-cd5f7c742ff7"
}
Then you have to wait for the search to finish. Querying at some interval the below api
curl -s -X GET -u USERNAME -H 'Version: 10.0' -H 'Accept: application/json' 'https://SERVER/api/ariel/searches/d97dd9af-e33b-4878-91d6-cd5f7c742ff7'
the response payload will give you detail about if the search is finished
{
"cursor_id": "d97dd9af-e33b-4878-91d6-cd5f7c742ff7",
"status": "COMPLETED",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 0,
"data_total_size": 0,
"index_file_count": 3,
"index_total_size": 1119616,
"processed_record_count": 0,
"desired_retention_time_msec": 86400000,
"progress": 100,
"progress_details": [],
"query_execution_time": 574,
"query_string": "select * from events where sourceip='8.8.8.8' START PARSEDATETIME('1 minute ago')",
"record_count": 0,
"size_on_disk": 24,
"save_results": false,
"completed": true,
"subsearch_ids": [],
"snapshot": null,
"search_id": "d97dd9af-e33b-4878-91d6-cd5f7c742ff7"
}

Finally to get your results you run the below.
curl -s -X GET -u USERNAME -H 'Range: items=0-49' -H 'Version: 10.0' -H 'Accept: application/json' 'https://SERVER/api/ariel/searches/d97dd9af-e33b-4878-91d6-cd5f7c742ff7/results'


------------------------------
Patrick Barnes
------------------------------

Original Message:
Sent: Fri May 31, 2019 10:34 AM
From: Justin Mann
Subject: Utilize QRadar API for retrieving Source IP Address

I'm looking to utilize the QRadar API for verifying that I'm receiving events from certain Source IPs. I think this should be fairly easy but I must be missing something. I've had a little bit of experience with Basic GETs but can't seem to nail this down. Anyone have any suggestions besides reading the API doc :)?

------------------------------
Justin Mann
------------------------------