------------------------------
Boon Chang Tan
------------------------------

There is a log source that is triggered and writes events for the Custom Rule Engine. You might try by adding a filter to Log Activity where Log Source (Indexed) = Custom Rule Engine to see if these logs look for what you want to review. If you are looking for data on offenses by their ID, you can use the /siem/offenses API endpoint or potentially look at the /analytics/rules_offense_contributions.

You can take a look at the documentation to see what fields can be queried: https://ibmsecuritydocs.github.io/qradar_api_overview/ 

I'm not sure what you are looking for specifically, but if you can provide more details as to the info you want to find, maybe we can clarify further. There is some info in the logs that shows updates, but this is mostly meta data from EPs sending details to update existing offenses. 

If you are just looking to monitor offenses and owners, I would highly suggest that you look at the SIEM Self-monitoring extension for QRadar. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Tue May 23, 2023 11:10 PM
From: Boon Chang Tan
Subject: QRadar Offenses

------------------------------
Boon Chang Tan
------------------------------

Hi,

I am getting following error "No SEC header present in request" when I try to view url through browser.

Best regards,

Tan Boon Chang

There is a log source that is triggered and writes events for the Custom Rule Engine. You might try by adding a filter to Log Activity where Log Source (Indexed) = Custom Rule Engine to see if these logs look for what you want to review. If you are looking for data on offenses by their ID, you can use the /siem/offenses API endpoint or potentially look at the /analytics/rules_offense_contributions.

You can take a look at the documentation to see what fields can be queried: https://ibmsecuritydocs.github.io/qradar_api_overview/ 

I'm not sure what you are looking for specifically, but if you can provide more details as to the info you want to find, maybe we can clarify further. There is some info in the logs that shows updates, but this is mostly meta data from EPs sending details to update existing offenses. 

If you are just looking to monitor offenses and owners, I would highly suggest that you look at the SIEM Self-monitoring extension for QRadar. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Tue May 23, 2023 11:10 PM
From: Boon Chang Tan
Subject: QRadar Offenses

------------------------------
Boon Chang Tan
------------------------------

Hello Boon Chang Tan,

The cause of this error is that you did not provide an Authorized Token in the headers of the request. I have provided an example for you:


In the first CURL command, I didn't pass the Authorized Token in the headers, and as you can see, I received the same error. In the second CURL command, I included the Authorized Token and received the expected response.

To generate an Authorized Token, navigate to Admin > Authorized Services > Add (https://www.ibm.com/docs/en/qradar-common?topic=app-creating-authorized-service-token-qradar-operations).

Regards,
Arthur Hardt

Hi,

I am getting following error "No SEC header present in request" when I try to view url through browser.

Best regards,

Tan Boon Chang

There is a log source that is triggered and writes events for the Custom Rule Engine. You might try by adding a filter to Log Activity where Log Source (Indexed) = Custom Rule Engine to see if these logs look for what you want to review. If you are looking for data on offenses by their ID, you can use the /siem/offenses API endpoint or potentially look at the /analytics/rules_offense_contributions.

You can take a look at the documentation to see what fields can be queried: https://ibmsecuritydocs.github.io/qradar_api_overview/ 

I'm not sure what you are looking for specifically, but if you can provide more details as to the info you want to find, maybe we can clarify further. There is some info in the logs that shows updates, but this is mostly meta data from EPs sending details to update existing offenses. 

If you are just looking to monitor offenses and owners, I would highly suggest that you look at the SIEM Self-monitoring extension for QRadar. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Tue May 23, 2023 11:10 PM
From: Boon Chang Tan
Subject: QRadar Offenses

------------------------------
Boon Chang Tan
------------------------------

Hi,

I am getting the following exception:

The exception is similar to when I used "-u admin" and entered the password for it:

Best regards,

Tan Boon Chang

Hello Boon Chang Tan,

The cause of this error is that you did not provide an Authorized Token in the headers of the request. I have provided an example for you:


In the first CURL command, I didn't pass the Authorized Token in the headers, and as you can see, I received the same error. In the second CURL command, I included the Authorized Token and received the expected response.

To generate an Authorized Token, navigate to Admin > Authorized Services > Add (https://www.ibm.com/docs/en/qradar-common?topic=app-creating-authorized-service-token-qradar-operations).

Regards,
Arthur Hardt

Hi,

I am getting following error "No SEC header present in request" when I try to view url through browser.

Best regards,

Tan Boon Chang

There is a log source that is triggered and writes events for the Custom Rule Engine. You might try by adding a filter to Log Activity where Log Source (Indexed) = Custom Rule Engine to see if these logs look for what you want to review. If you are looking for data on offenses by their ID, you can use the /siem/offenses API endpoint or potentially look at the /analytics/rules_offense_contributions.

You can take a look at the documentation to see what fields can be queried: https://ibmsecuritydocs.github.io/qradar_api_overview/ 

I'm not sure what you are looking for specifically, but if you can provide more details as to the info you want to find, maybe we can clarify further. There is some info in the logs that shows updates, but this is mostly meta data from EPs sending details to update existing offenses. 

If you are just looking to monitor offenses and owners, I would highly suggest that you look at the SIEM Self-monitoring extension for QRadar. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Tue May 23, 2023 11:10 PM
From: Boon Chang Tan
Subject: QRadar Offenses

------------------------------
Boon Chang Tan
------------------------------

Hello,

This exception occurs because the SSL/TLS certificate presented by the server is not recognized or trusted by the client. I guess that you don't have any SSL certificate on your QRadar, so in this case, you can use the parameter -k. I reproduced the same scenario below:


In the first curl command, I received the same error as you did. In the second curl command, I used the -k parameter to bypass the certificate, and as you can see, it worked. I need to emphasize that without certificate verification ( using the -k parameter ), you are vulnerable to "Man-in-the-Middle" attacks, where a third party can intercept the communication and gain unauthorized access to the transmitted data. I suggest that you read the following documentation (https://reqbin.com/req/c-bw1fsypn/curl-ssl-request) because if you have a certificate configured on your QRadar, you can use it with the parameters --cert or --cacert.

Hope that this resolve your problem.

Regards,

Arthur Hardt

Hi,

I am getting the following exception:

The exception is similar to when I used "-u admin" and entered the password for it:

Best regards,

Tan Boon Chang

Hello Boon Chang Tan,

The cause of this error is that you did not provide an Authorized Token in the headers of the request. I have provided an example for you:


In the first CURL command, I didn't pass the Authorized Token in the headers, and as you can see, I received the same error. In the second CURL command, I included the Authorized Token and received the expected response.

To generate an Authorized Token, navigate to Admin > Authorized Services > Add (https://www.ibm.com/docs/en/qradar-common?topic=app-creating-authorized-service-token-qradar-operations).

Regards,
Arthur Hardt

Hi,

I am getting following error "No SEC header present in request" when I try to view url through browser.

Best regards,

Tan Boon Chang

There is a log source that is triggered and writes events for the Custom Rule Engine. You might try by adding a filter to Log Activity where Log Source (Indexed) = Custom Rule Engine to see if these logs look for what you want to review. If you are looking for data on offenses by their ID, you can use the /siem/offenses API endpoint or potentially look at the /analytics/rules_offense_contributions.

You can take a look at the documentation to see what fields can be queried: https://ibmsecuritydocs.github.io/qradar_api_overview/ 

I'm not sure what you are looking for specifically, but if you can provide more details as to the info you want to find, maybe we can clarify further. There is some info in the logs that shows updates, but this is mostly meta data from EPs sending details to update existing offenses. 

If you are just looking to monitor offenses and owners, I would highly suggest that you look at the SIEM Self-monitoring extension for QRadar. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Tue May 23, 2023 11:10 PM
From: Boon Chang Tan
Subject: QRadar Offenses

------------------------------
Boon Chang Tan
------------------------------

Hi,

Thanks, I was able to get the information which I intended to get from Offenses.

This is slightly off-topic, but I am wondering if there it is possible to get Log Activity and/or Network Activity in a similar method (i.e. using curl or other ways which does not involve going directly to the QRadar GUI)?

Best regards,

Tan Boon Chang

Hello,

This exception occurs because the SSL/TLS certificate presented by the server is not recognized or trusted by the client. I guess that you don't have any SSL certificate on your QRadar, so in this case, you can use the parameter -k. I reproduced the same scenario below:


In the first curl command, I received the same error as you did. In the second curl command, I used the -k parameter to bypass the certificate, and as you can see, it worked. I need to emphasize that without certificate verification ( using the -k parameter ), you are vulnerable to "Man-in-the-Middle" attacks, where a third party can intercept the communication and gain unauthorized access to the transmitted data. I suggest that you read the following documentation (https://reqbin.com/req/c-bw1fsypn/curl-ssl-request) because if you have a certificate configured on your QRadar, you can use it with the parameters --cert or --cacert.

Hope that this resolve your problem.

Regards,

Arthur Hardt

Hi,

I am getting the following exception:

The exception is similar to when I used "-u admin" and entered the password for it:

Best regards,

Tan Boon Chang

Hello Boon Chang Tan,

The cause of this error is that you did not provide an Authorized Token in the headers of the request. I have provided an example for you:


In the first CURL command, I didn't pass the Authorized Token in the headers, and as you can see, I received the same error. In the second CURL command, I included the Authorized Token and received the expected response.

To generate an Authorized Token, navigate to Admin > Authorized Services > Add (https://www.ibm.com/docs/en/qradar-common?topic=app-creating-authorized-service-token-qradar-operations).

Regards,
Arthur Hardt

Hi,

I am getting following error "No SEC header present in request" when I try to view url through browser.

Best regards,

Tan Boon Chang

There is a log source that is triggered and writes events for the Custom Rule Engine. You might try by adding a filter to Log Activity where Log Source (Indexed) = Custom Rule Engine to see if these logs look for what you want to review. If you are looking for data on offenses by their ID, you can use the /siem/offenses API endpoint or potentially look at the /analytics/rules_offense_contributions.

You can take a look at the documentation to see what fields can be queried: https://ibmsecuritydocs.github.io/qradar_api_overview/ 

I'm not sure what you are looking for specifically, but if you can provide more details as to the info you want to find, maybe we can clarify further. There is some info in the logs that shows updates, but this is mostly meta data from EPs sending details to update existing offenses. 

If you are just looking to monitor offenses and owners, I would highly suggest that you look at the SIEM Self-monitoring extension for QRadar. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Tue May 23, 2023 11:10 PM
From: Boon Chang Tan
Subject: QRadar Offenses

------------------------------
Boon Chang Tan
------------------------------

Hi,

Yes, it's possible. Take a look at this script that allows you to perform an AQL query and obtain a JSON output of the results: /opt/qradar/bin/ariel_query

Description of the script: This script executes an Ariel query, waits until it is complete, and prints the response to STDOUT.

If you want to create your own script to perform searches, take a look at this file: /opt/qradar/ariel/bin/apiClientDir/restapi_client/arielquery.py

Regards,

Arthur Hardt
 

Hi,

Thanks, I was able to get the information which I intended to get from Offenses.

This is slightly off-topic, but I am wondering if there it is possible to get Log Activity and/or Network Activity in a similar method (i.e. using curl or other ways which does not involve going directly to the QRadar GUI)?

Best regards,

Tan Boon Chang

Hello,

This exception occurs because the SSL/TLS certificate presented by the server is not recognized or trusted by the client. I guess that you don't have any SSL certificate on your QRadar, so in this case, you can use the parameter -k. I reproduced the same scenario below:


In the first curl command, I received the same error as you did. In the second curl command, I used the -k parameter to bypass the certificate, and as you can see, it worked. I need to emphasize that without certificate verification ( using the -k parameter ), you are vulnerable to "Man-in-the-Middle" attacks, where a third party can intercept the communication and gain unauthorized access to the transmitted data. I suggest that you read the following documentation (https://reqbin.com/req/c-bw1fsypn/curl-ssl-request) because if you have a certificate configured on your QRadar, you can use it with the parameters --cert or --cacert.

Hope that this resolve your problem.

Regards,

Arthur Hardt

Hi,

I am getting the following exception:

The exception is similar to when I used "-u admin" and entered the password for it:

Best regards,

Tan Boon Chang

Hello Boon Chang Tan,

The cause of this error is that you did not provide an Authorized Token in the headers of the request. I have provided an example for you:


In the first CURL command, I didn't pass the Authorized Token in the headers, and as you can see, I received the same error. In the second CURL command, I included the Authorized Token and received the expected response.

To generate an Authorized Token, navigate to Admin > Authorized Services > Add (https://www.ibm.com/docs/en/qradar-common?topic=app-creating-authorized-service-token-qradar-operations).

Regards,
Arthur Hardt

Hi,

I am getting following error "No SEC header present in request" when I try to view url through browser.

Best regards,

Tan Boon Chang

There is a log source that is triggered and writes events for the Custom Rule Engine. You might try by adding a filter to Log Activity where Log Source (Indexed) = Custom Rule Engine to see if these logs look for what you want to review. If you are looking for data on offenses by their ID, you can use the /siem/offenses API endpoint or potentially look at the /analytics/rules_offense_contributions.

You can take a look at the documentation to see what fields can be queried: https://ibmsecuritydocs.github.io/qradar_api_overview/ 

I'm not sure what you are looking for specifically, but if you can provide more details as to the info you want to find, maybe we can clarify further. There is some info in the logs that shows updates, but this is mostly meta data from EPs sending details to update existing offenses. 

If you are just looking to monitor offenses and owners, I would highly suggest that you look at the SIEM Self-monitoring extension for QRadar. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Tue May 23, 2023 11:10 PM
From: Boon Chang Tan
Subject: QRadar Offenses

------------------------------
Boon Chang Tan
------------------------------

Hi,

Thank you for the information provided. They seems to be able to do what I want to achieve.

I am looking at both scripts available on QRadar, and I already have the AQL query which I wish to utilise prepared, however I am having some trouble understanding how to integrate the query into the script or making the script run the intended query.

/opt/qradar/bin/ariel_query

/opt/qradar/ariel/bin/apiClientDir/restapi_client/arielquery.py

Do I place the AQL query in some directory and edit the provided py script to run with the intended query?

Best regards,

Tan Boon Chang

Hi,

Yes, it's possible. Take a look at this script that allows you to perform an AQL query and obtain a JSON output of the results: /opt/qradar/bin/ariel_query

Description of the script: This script executes an Ariel query, waits until it is complete, and prints the response to STDOUT.

If you want to create your own script to perform searches, take a look at this file: /opt/qradar/ariel/bin/apiClientDir/restapi_client/arielquery.py

Regards,

Arthur Hardt
 

Hi,

Thanks, I was able to get the information which I intended to get from Offenses.

This is slightly off-topic, but I am wondering if there it is possible to get Log Activity and/or Network Activity in a similar method (i.e. using curl or other ways which does not involve going directly to the QRadar GUI)?

Best regards,

Tan Boon Chang

Hello,

This exception occurs because the SSL/TLS certificate presented by the server is not recognized or trusted by the client. I guess that you don't have any SSL certificate on your QRadar, so in this case, you can use the parameter -k. I reproduced the same scenario below:


In the first curl command, I received the same error as you did. In the second curl command, I used the -k parameter to bypass the certificate, and as you can see, it worked. I need to emphasize that without certificate verification ( using the -k parameter ), you are vulnerable to "Man-in-the-Middle" attacks, where a third party can intercept the communication and gain unauthorized access to the transmitted data. I suggest that you read the following documentation (https://reqbin.com/req/c-bw1fsypn/curl-ssl-request) because if you have a certificate configured on your QRadar, you can use it with the parameters --cert or --cacert.

Hope that this resolve your problem.

Regards,

Arthur Hardt

Hi,

I am getting the following exception:

The exception is similar to when I used "-u admin" and entered the password for it:

Best regards,

Tan Boon Chang

Hello Boon Chang Tan,

The cause of this error is that you did not provide an Authorized Token in the headers of the request. I have provided an example for you:


In the first CURL command, I didn't pass the Authorized Token in the headers, and as you can see, I received the same error. In the second CURL command, I included the Authorized Token and received the expected response.

To generate an Authorized Token, navigate to Admin > Authorized Services > Add (https://www.ibm.com/docs/en/qradar-common?topic=app-creating-authorized-service-token-qradar-operations).

Regards,
Arthur Hardt

Hi,

I am getting following error "No SEC header present in request" when I try to view url through browser.

Best regards,

Tan Boon Chang

There is a log source that is triggered and writes events for the Custom Rule Engine. You might try by adding a filter to Log Activity where Log Source (Indexed) = Custom Rule Engine to see if these logs look for what you want to review. If you are looking for data on offenses by their ID, you can use the /siem/offenses API endpoint or potentially look at the /analytics/rules_offense_contributions.

You can take a look at the documentation to see what fields can be queried: https://ibmsecuritydocs.github.io/qradar_api_overview/ 

I'm not sure what you are looking for specifically, but if you can provide more details as to the info you want to find, maybe we can clarify further. There is some info in the logs that shows updates, but this is mostly meta data from EPs sending details to update existing offenses. 

If you are just looking to monitor offenses and owners, I would highly suggest that you look at the SIEM Self-monitoring extension for QRadar. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Tue May 23, 2023 11:10 PM
From: Boon Chang Tan
Subject: QRadar Offenses

------------------------------
Boon Chang Tan
------------------------------

Hi,

Example query: /opt/qradar/bin/ariel_query -u <your user> -q "SELECT * from events LIMIT 5 last 5 minutes" --no_verify -o JSON

The script will show an input for insert your user password.

Regards,

Arthur Hardt

Hi,

Thank you for the information provided. They seems to be able to do what I want to achieve.

I am looking at both scripts available on QRadar, and I already have the AQL query which I wish to utilise prepared, however I am having some trouble understanding how to integrate the query into the script or making the script run the intended query.

/opt/qradar/bin/ariel_query

/opt/qradar/ariel/bin/apiClientDir/restapi_client/arielquery.py

Do I place the AQL query in some directory and edit the provided py script to run with the intended query?

Best regards,

Tan Boon Chang

Hi,

Yes, it's possible. Take a look at this script that allows you to perform an AQL query and obtain a JSON output of the results: /opt/qradar/bin/ariel_query

Description of the script: This script executes an Ariel query, waits until it is complete, and prints the response to STDOUT.

If you want to create your own script to perform searches, take a look at this file: /opt/qradar/ariel/bin/apiClientDir/restapi_client/arielquery.py

Regards,

Arthur Hardt
 

Hi,

Thanks, I was able to get the information which I intended to get from Offenses.

This is slightly off-topic, but I am wondering if there it is possible to get Log Activity and/or Network Activity in a similar method (i.e. using curl or other ways which does not involve going directly to the QRadar GUI)?

Best regards,

Tan Boon Chang

Hello,

This exception occurs because the SSL/TLS certificate presented by the server is not recognized or trusted by the client. I guess that you don't have any SSL certificate on your QRadar, so in this case, you can use the parameter -k. I reproduced the same scenario below:


In the first curl command, I received the same error as you did. In the second curl command, I used the -k parameter to bypass the certificate, and as you can see, it worked. I need to emphasize that without certificate verification ( using the -k parameter ), you are vulnerable to "Man-in-the-Middle" attacks, where a third party can intercept the communication and gain unauthorized access to the transmitted data. I suggest that you read the following documentation (https://reqbin.com/req/c-bw1fsypn/curl-ssl-request) because if you have a certificate configured on your QRadar, you can use it with the parameters --cert or --cacert.

Hope that this resolve your problem.

Regards,

Arthur Hardt

Hi,

I am getting the following exception:

The exception is similar to when I used "-u admin" and entered the password for it:

Best regards,

Tan Boon Chang

Hello Boon Chang Tan,

The cause of this error is that you did not provide an Authorized Token in the headers of the request. I have provided an example for you:


In the first CURL command, I didn't pass the Authorized Token in the headers, and as you can see, I received the same error. In the second CURL command, I included the Authorized Token and received the expected response.

To generate an Authorized Token, navigate to Admin > Authorized Services > Add (https://www.ibm.com/docs/en/qradar-common?topic=app-creating-authorized-service-token-qradar-operations).

Regards,
Arthur Hardt

Hi,

I am getting following error "No SEC header present in request" when I try to view url through browser.

Best regards,

Tan Boon Chang

There is a log source that is triggered and writes events for the Custom Rule Engine. You might try by adding a filter to Log Activity where Log Source (Indexed) = Custom Rule Engine to see if these logs look for what you want to review. If you are looking for data on offenses by their ID, you can use the /siem/offenses API endpoint or potentially look at the /analytics/rules_offense_contributions.

You can take a look at the documentation to see what fields can be queried: https://ibmsecuritydocs.github.io/qradar_api_overview/ 

I'm not sure what you are looking for specifically, but if you can provide more details as to the info you want to find, maybe we can clarify further. There is some info in the logs that shows updates, but this is mostly meta data from EPs sending details to update existing offenses. 

If you are just looking to monitor offenses and owners, I would highly suggest that you look at the SIEM Self-monitoring extension for QRadar. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Tue May 23, 2023 11:10 PM
From: Boon Chang Tan
Subject: QRadar Offenses

------------------------------
Boon Chang Tan
------------------------------

Hi,

Example query: /opt/qradar/bin/ariel_query -u <your user> -q "SELECT * from events LIMIT 5 last 5 minutes" --no_verify -o JSON

The script will show an input for insert your user password.

Regards,

Arthur Hardt

Hi,

Thank you for the information provided. They seems to be able to do what I want to achieve.

I am looking at both scripts available on QRadar, and I already have the AQL query which I wish to utilise prepared, however I am having some trouble understanding how to integrate the query into the script or making the script run the intended query.

/opt/qradar/bin/ariel_query

/opt/qradar/ariel/bin/apiClientDir/restapi_client/arielquery.py

Do I place the AQL query in some directory and edit the provided py script to run with the intended query?

Best regards,

Tan Boon Chang

Hi,

Yes, it's possible. Take a look at this script that allows you to perform an AQL query and obtain a JSON output of the results: /opt/qradar/bin/ariel_query

Description of the script: This script executes an Ariel query, waits until it is complete, and prints the response to STDOUT.

If you want to create your own script to perform searches, take a look at this file: /opt/qradar/ariel/bin/apiClientDir/restapi_client/arielquery.py

Regards,

Arthur Hardt
 

Hi,

Thanks, I was able to get the information which I intended to get from Offenses.

This is slightly off-topic, but I am wondering if there it is possible to get Log Activity and/or Network Activity in a similar method (i.e. using curl or other ways which does not involve going directly to the QRadar GUI)?

Best regards,

Tan Boon Chang

Hello,

This exception occurs because the SSL/TLS certificate presented by the server is not recognized or trusted by the client. I guess that you don't have any SSL certificate on your QRadar, so in this case, you can use the parameter -k. I reproduced the same scenario below:


In the first curl command, I received the same error as you did. In the second curl command, I used the -k parameter to bypass the certificate, and as you can see, it worked. I need to emphasize that without certificate verification ( using the -k parameter ), you are vulnerable to "Man-in-the-Middle" attacks, where a third party can intercept the communication and gain unauthorized access to the transmitted data. I suggest that you read the following documentation (https://reqbin.com/req/c-bw1fsypn/curl-ssl-request) because if you have a certificate configured on your QRadar, you can use it with the parameters --cert or --cacert.

Hope that this resolve your problem.

Regards,

Arthur Hardt

Hi,

I am getting the following exception:

The exception is similar to when I used "-u admin" and entered the password for it:

Best regards,

Tan Boon Chang

Hello Boon Chang Tan,

The cause of this error is that you did not provide an Authorized Token in the headers of the request. I have provided an example for you:


In the first CURL command, I didn't pass the Authorized Token in the headers, and as you can see, I received the same error. In the second CURL command, I included the Authorized Token and received the expected response.

To generate an Authorized Token, navigate to Admin > Authorized Services > Add (https://www.ibm.com/docs/en/qradar-common?topic=app-creating-authorized-service-token-qradar-operations).

Regards,
Arthur Hardt

Hi,

I am getting following error "No SEC header present in request" when I try to view url through browser.

Best regards,

Tan Boon Chang

There is a log source that is triggered and writes events for the Custom Rule Engine. You might try by adding a filter to Log Activity where Log Source (Indexed) = Custom Rule Engine to see if these logs look for what you want to review. If you are looking for data on offenses by their ID, you can use the /siem/offenses API endpoint or potentially look at the /analytics/rules_offense_contributions.

You can take a look at the documentation to see what fields can be queried: https://ibmsecuritydocs.github.io/qradar_api_overview/ 

I'm not sure what you are looking for specifically, but if you can provide more details as to the info you want to find, maybe we can clarify further. There is some info in the logs that shows updates, but this is mostly meta data from EPs sending details to update existing offenses. 

If you are just looking to monitor offenses and owners, I would highly suggest that you look at the SIEM Self-monitoring extension for QRadar. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Tue May 23, 2023 11:10 PM
From: Boon Chang Tan
Subject: QRadar Offenses

------------------------------
Boon Chang Tan
------------------------------

Hi,

Currently, I am using the following query:

select QIDNAME(qid) as 'Event Name',"startTime" as 'Start Time',logsourcename(logSourceId) as 'Log Source' from events where ( logSourceId='714' ) order by "startTime" desc LIMIT 1000 last 7 days

The log source is of a WinCollect, a log source for Windows Event Logs.

Currently, it is getting the Event name:

You know how Windows Event logs entry usually have Event ID?

I would like to have a query which would get the Event ID instead of the Event name. Wondering if it is possible in QRadar.

Just trying my luck here.

Best regards,

Tan Boon Chang

Hi,

Example query: /opt/qradar/bin/ariel_query -u <your user> -q "SELECT * from events LIMIT 5 last 5 minutes" --no_verify -o JSON

The script will show an input for insert your user password.

Regards,

Arthur Hardt

Hi,

Thank you for the information provided. They seems to be able to do what I want to achieve.

I am looking at both scripts available on QRadar, and I already have the AQL query which I wish to utilise prepared, however I am having some trouble understanding how to integrate the query into the script or making the script run the intended query.

/opt/qradar/bin/ariel_query

/opt/qradar/ariel/bin/apiClientDir/restapi_client/arielquery.py

Do I place the AQL query in some directory and edit the provided py script to run with the intended query?

Best regards,

Tan Boon Chang

Hi,

Yes, it's possible. Take a look at this script that allows you to perform an AQL query and obtain a JSON output of the results: /opt/qradar/bin/ariel_query

Description of the script: This script executes an Ariel query, waits until it is complete, and prints the response to STDOUT.

If you want to create your own script to perform searches, take a look at this file: /opt/qradar/ariel/bin/apiClientDir/restapi_client/arielquery.py

Regards,

Arthur Hardt
 

Hi,

Thanks, I was able to get the information which I intended to get from Offenses.

This is slightly off-topic, but I am wondering if there it is possible to get Log Activity and/or Network Activity in a similar method (i.e. using curl or other ways which does not involve going directly to the QRadar GUI)?

Best regards,

Tan Boon Chang

Hello,

This exception occurs because the SSL/TLS certificate presented by the server is not recognized or trusted by the client. I guess that you don't have any SSL certificate on your QRadar, so in this case, you can use the parameter -k. I reproduced the same scenario below:


In the first curl command, I received the same error as you did. In the second curl command, I used the -k parameter to bypass the certificate, and as you can see, it worked. I need to emphasize that without certificate verification ( using the -k parameter ), you are vulnerable to "Man-in-the-Middle" attacks, where a third party can intercept the communication and gain unauthorized access to the transmitted data. I suggest that you read the following documentation (https://reqbin.com/req/c-bw1fsypn/curl-ssl-request) because if you have a certificate configured on your QRadar, you can use it with the parameters --cert or --cacert.

Hope that this resolve your problem.

Regards,

Arthur Hardt

Hi,

I am getting the following exception:

The exception is similar to when I used "-u admin" and entered the password for it:

Best regards,

Tan Boon Chang

Hello Boon Chang Tan,

The cause of this error is that you did not provide an Authorized Token in the headers of the request. I have provided an example for you:


In the first CURL command, I didn't pass the Authorized Token in the headers, and as you can see, I received the same error. In the second CURL command, I included the Authorized Token and received the expected response.

To generate an Authorized Token, navigate to Admin > Authorized Services > Add (https://www.ibm.com/docs/en/qradar-common?topic=app-creating-authorized-service-token-qradar-operations).

Regards,
Arthur Hardt

Hi,

I am getting following error "No SEC header present in request" when I try to view url through browser.

Best regards,

Tan Boon Chang

There is a log source that is triggered and writes events for the Custom Rule Engine. You might try by adding a filter to Log Activity where Log Source (Indexed) = Custom Rule Engine to see if these logs look for what you want to review. If you are looking for data on offenses by their ID, you can use the /siem/offenses API endpoint or potentially look at the /analytics/rules_offense_contributions.

You can take a look at the documentation to see what fields can be queried: https://ibmsecuritydocs.github.io/qradar_api_overview/ 

I'm not sure what you are looking for specifically, but if you can provide more details as to the info you want to find, maybe we can clarify further. There is some info in the logs that shows updates, but this is mostly meta data from EPs sending details to update existing offenses. 

If you are just looking to monitor offenses and owners, I would highly suggest that you look at the SIEM Self-monitoring extension for QRadar. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Tue May 23, 2023 11:10 PM
From: Boon Chang Tan
Subject: QRadar Offenses

------------------------------
Boon Chang Tan
------------------------------

Hi Boon Chang,

Yes, it's possible !!

Try:

select "EventID" as 'Event ID',"startTime" as 'Start Time',logsourcename(logSourceId) as 'Log Source' from events where ( logSourceId='714' ) order by "startTime" desc LIMIT 1000 last 7 days

Regards,

Arthur Hardt

------------------------------
Arthur Bernardo Escorcio Hardt

Original Message:
Sent: Thu August 17, 2023 02:47 AM
From: Boon Chang Tan
Subject: QRadar Offenses

Hi,

Currently, I am using the following query:

select QIDNAME(qid) as 'Event Name',"startTime" as 'Start Time',logsourcename(logSourceId) as 'Log Source' from events where ( logSourceId='714' ) order by "startTime" desc LIMIT 1000 last 7 days

The log source is of a WinCollect, a log source for Windows Event Logs.

Currently, it is getting the Event name:

You know how Windows Event logs entry usually have Event ID?

I would like to have a query which would get the Event ID instead of the Event name. Wondering if it is possible in QRadar.

Just trying my luck here.

Best regards,

Tan Boon Chang

------------------------------
Boon Chang Tan

Original Message:
Sent: Tue July 18, 2023 08:45 AM
From: Arthur Bernardo Escorcio Hardt
Subject: QRadar Offenses

Hi,

Example query: /opt/qradar/bin/ariel_query -u <your user> -q "SELECT * from events LIMIT 5 last 5 minutes" --no_verify -o JSON

The script will show an input for insert your user password.

Regards,

Arthur Hardt

------------------------------
Arthur Bernardo Escorcio Hardt

Original Message:
Sent: Tue July 18, 2023 03:20 AM
From: Boon Chang Tan
Subject: QRadar Offenses

Hi,

Thank you for the information provided. They seems to be able to do what I want to achieve.

I am looking at both scripts available on QRadar, and I already have the AQL query which I wish to utilise prepared, however I am having some trouble understanding how to integrate the query into the script or making the script run the intended query.

/opt/qradar/bin/ariel_query

/opt/qradar/ariel/bin/apiClientDir/restapi_client/arielquery.py

Do I place the AQL query in some directory and edit the provided py script to run with the intended query?

Best regards,

Tan Boon Chang

------------------------------
Boon Chang Tan

Original Message:
Sent: Wed July 12, 2023 10:52 AM
From: Arthur Bernardo Escorcio Hardt
Subject: QRadar Offenses

Hi,

Yes, it's possible. Take a look at this script that allows you to perform an AQL query and obtain a JSON output of the results: /opt/qradar/bin/ariel_query

Description of the script: This script executes an Ariel query, waits until it is complete, and prints the response to STDOUT.

If you want to create your own script to perform searches, take a look at this file: /opt/qradar/ariel/bin/apiClientDir/restapi_client/arielquery.py

Regards,

Arthur Hardt
 

------------------------------
Arthur Bernardo Escorcio Hardt

Original Message:
Sent: Wed July 12, 2023 03:42 AM
From: Boon Chang Tan
Subject: QRadar Offenses

Hi,

Thanks, I was able to get the information which I intended to get from Offenses.

This is slightly off-topic, but I am wondering if there it is possible to get Log Activity and/or Network Activity in a similar method (i.e. using curl or other ways which does not involve going directly to the QRadar GUI)?

Best regards,

Tan Boon Chang

------------------------------
Boon Chang Tan

Original Message:
Sent: Thu July 06, 2023 02:44 AM
From: Arthur Bernardo Escorcio Hardt
Subject: QRadar Offenses

Hello,

This exception occurs because the SSL/TLS certificate presented by the server is not recognized or trusted by the client. I guess that you don't have any SSL certificate on your QRadar, so in this case, you can use the parameter -k. I reproduced the same scenario below:


In the first curl command, I received the same error as you did. In the second curl command, I used the -k parameter to bypass the certificate, and as you can see, it worked. I need to emphasize that without certificate verification ( using the -k parameter ), you are vulnerable to "Man-in-the-Middle" attacks, where a third party can intercept the communication and gain unauthorized access to the transmitted data. I suggest that you read the following documentation (https://reqbin.com/req/c-bw1fsypn/curl-ssl-request) because if you have a certificate configured on your QRadar, you can use it with the parameters --cert or --cacert.

Hope that this resolve your problem.

Regards,

Arthur Hardt

------------------------------
Arthur Bernardo Escorcio Hardt

Original Message:
Sent: Wed July 05, 2023 11:28 PM
From: Boon Chang Tan
Subject: QRadar Offenses

Hi,

I am getting the following exception:

The exception is similar to when I used "-u admin" and entered the password for it:

Best regards,

Tan Boon Chang

------------------------------
Boon Chang Tan

Original Message:
Sent: Wed July 05, 2023 08:13 AM
From: Arthur Bernardo Escorcio Hardt
Subject: QRadar Offenses

Hello Boon Chang Tan,

The cause of this error is that you did not provide an Authorized Token in the headers of the request. I have provided an example for you:


In the first CURL command, I didn't pass the Authorized Token in the headers, and as you can see, I received the same error. In the second CURL command, I included the Authorized Token and received the expected response.

To generate an Authorized Token, navigate to Admin > Authorized Services > Add (https://www.ibm.com/docs/en/qradar-common?topic=app-creating-authorized-service-token-qradar-operations).

Regards,
Arthur Hardt

------------------------------
Arthur Bernardo Escorcio Hardt

Original Message:
Sent: Wed June 21, 2023 04:33 AM
From: Boon Chang Tan
Subject: QRadar Offenses

Hi,

I am getting following error "No SEC header present in request" when I try to view url through browser.

Best regards,

Tan Boon Chang

------------------------------
Boon Chang Tan

Original Message:
Sent: Wed May 24, 2023 09:25 AM
From: Jonathan Pechta
Subject: QRadar Offenses

There is a log source that is triggered and writes events for the Custom Rule Engine. You might try by adding a filter to Log Activity where Log Source (Indexed) = Custom Rule Engine to see if these logs look for what you want to review. If you are looking for data on offenses by their ID, you can use the /siem/offenses API endpoint or potentially look at the /analytics/rules_offense_contributions.

You can take a look at the documentation to see what fields can be queried: https://ibmsecuritydocs.github.io/qradar_api_overview/ 

I'm not sure what you are looking for specifically, but if you can provide more details as to the info you want to find, maybe we can clarify further. There is some info in the logs that shows updates, but this is mostly meta data from EPs sending details to update existing offenses. 

If you are just looking to monitor offenses and owners, I would highly suggest that you look at the SIEM Self-monitoring extension for QRadar. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Tue May 23, 2023 11:10 PM
From: Boon Chang Tan
Subject: QRadar Offenses

------------------------------
Boon Chang Tan
------------------------------

Hi Boon Chang,

Yes, it's possible !!

Try:

select "EventID" as 'Event ID',"startTime" as 'Start Time',logsourcename(logSourceId) as 'Log Source' from events where ( logSourceId='714' ) order by "startTime" desc LIMIT 1000 last 7 days

Regards,

Arthur Hardt

Hi,

Currently, I am using the following query:

select QIDNAME(qid) as 'Event Name',"startTime" as 'Start Time',logsourcename(logSourceId) as 'Log Source' from events where ( logSourceId='714' ) order by "startTime" desc LIMIT 1000 last 7 days

The log source is of a WinCollect, a log source for Windows Event Logs.

Currently, it is getting the Event name:

You know how Windows Event logs entry usually have Event ID?

I would like to have a query which would get the Event ID instead of the Event name. Wondering if it is possible in QRadar.

Just trying my luck here.

Best regards,

Tan Boon Chang

Hi,

Example query: /opt/qradar/bin/ariel_query -u <your user> -q "SELECT * from events LIMIT 5 last 5 minutes" --no_verify -o JSON

The script will show an input for insert your user password.

Regards,

Arthur Hardt

Hi,

Thank you for the information provided. They seems to be able to do what I want to achieve.

I am looking at both scripts available on QRadar, and I already have the AQL query which I wish to utilise prepared, however I am having some trouble understanding how to integrate the query into the script or making the script run the intended query.

/opt/qradar/bin/ariel_query

/opt/qradar/ariel/bin/apiClientDir/restapi_client/arielquery.py

Do I place the AQL query in some directory and edit the provided py script to run with the intended query?

Best regards,

Tan Boon Chang

Hi,

Yes, it's possible. Take a look at this script that allows you to perform an AQL query and obtain a JSON output of the results: /opt/qradar/bin/ariel_query

Description of the script: This script executes an Ariel query, waits until it is complete, and prints the response to STDOUT.

If you want to create your own script to perform searches, take a look at this file: /opt/qradar/ariel/bin/apiClientDir/restapi_client/arielquery.py

Regards,

Arthur Hardt
 

Hi,

Thanks, I was able to get the information which I intended to get from Offenses.

This is slightly off-topic, but I am wondering if there it is possible to get Log Activity and/or Network Activity in a similar method (i.e. using curl or other ways which does not involve going directly to the QRadar GUI)?

Best regards,

Tan Boon Chang

Hello,

This exception occurs because the SSL/TLS certificate presented by the server is not recognized or trusted by the client. I guess that you don't have any SSL certificate on your QRadar, so in this case, you can use the parameter -k. I reproduced the same scenario below:


In the first curl command, I received the same error as you did. In the second curl command, I used the -k parameter to bypass the certificate, and as you can see, it worked. I need to emphasize that without certificate verification ( using the -k parameter ), you are vulnerable to "Man-in-the-Middle" attacks, where a third party can intercept the communication and gain unauthorized access to the transmitted data. I suggest that you read the following documentation (https://reqbin.com/req/c-bw1fsypn/curl-ssl-request) because if you have a certificate configured on your QRadar, you can use it with the parameters --cert or --cacert.

Hope that this resolve your problem.

Regards,

Arthur Hardt

Hi,

I am getting the following exception:

The exception is similar to when I used "-u admin" and entered the password for it:

Best regards,

Tan Boon Chang

Hello Boon Chang Tan,

The cause of this error is that you did not provide an Authorized Token in the headers of the request. I have provided an example for you:


In the first CURL command, I didn't pass the Authorized Token in the headers, and as you can see, I received the same error. In the second CURL command, I included the Authorized Token and received the expected response.

To generate an Authorized Token, navigate to Admin > Authorized Services > Add (https://www.ibm.com/docs/en/qradar-common?topic=app-creating-authorized-service-token-qradar-operations).

Regards,
Arthur Hardt

Hi,

I am getting following error "No SEC header present in request" when I try to view url through browser.

Best regards,

Tan Boon Chang

There is a log source that is triggered and writes events for the Custom Rule Engine. You might try by adding a filter to Log Activity where Log Source (Indexed) = Custom Rule Engine to see if these logs look for what you want to review. If you are looking for data on offenses by their ID, you can use the /siem/offenses API endpoint or potentially look at the /analytics/rules_offense_contributions.

You can take a look at the documentation to see what fields can be queried: https://ibmsecuritydocs.github.io/qradar_api_overview/ 

I'm not sure what you are looking for specifically, but if you can provide more details as to the info you want to find, maybe we can clarify further. There is some info in the logs that shows updates, but this is mostly meta data from EPs sending details to update existing offenses. 

If you are just looking to monitor offenses and owners, I would highly suggest that you look at the SIEM Self-monitoring extension for QRadar. 

------------------------------
Jonathan Pechta
QRadar Support Content Lead
Support forums: ibm.biz/qradarforums
jonathan.pechta1@ibm.com

Original Message:
Sent: Tue May 23, 2023 11:10 PM
From: Boon Chang Tan
Subject: QRadar Offenses

------------------------------
Boon Chang Tan
------------------------------