IBM Security QRadar

 View Only
Expand all | Collapse all

Utilize QRadar API for retrieving Source IP Address

  • 1.  Utilize QRadar API for retrieving Source IP Address

    Posted Fri May 31, 2019 10:34 AM
    I'm looking to utilize the QRadar API for verifying that I'm receiving events from certain Source IPs. I think this should be fairly easy but I must be missing something. I've had a little bit of experience with Basic GETs but can't seem to nail this down. Anyone have any suggestions besides reading the API doc :)?

    ------------------------------
    Justin Mann
    ------------------------------


  • 2.  RE: Utilize QRadar API for retrieving Source IP Address

    Posted Tue June 04, 2019 09:58 AM
    The below is from Interactive API
    First you  Start your search
    curl -s -X POST -u USERNAME -H 'Version: 10.0' -H 'Accept: application/json' 'https://server/api/ariel/searches?query_expression=select%20*%20from%20events%20where%20sourceip%3D%278.8.8.8%27%20START%20PARSEDATETIME%28%271%20minute%20ago%27%29'

    Then the response payload will contain the search id
    {
    "cursor_id": "d97dd9af-e33b-4878-91d6-cd5f7c742ff7",
    "status": "WAIT",
    "compressed_data_file_count": 0,
    "compressed_data_total_size": 0,
    "data_file_count": 0,
    "data_total_size": 0,
    "index_file_count": 0,
    "index_total_size": 0,
    "processed_record_count": 0,
    "desired_retention_time_msec": 86400000,
    "progress": 0,
    "progress_details": [],
    "query_execution_time": 0,
    "query_string": "select * from events where sourceip='8.8.8.8' START PARSEDATETIME('1 minute ago')",
    "record_count": 0,
    "size_on_disk": 0,
    "save_results": false,
    "completed": false,
    "subsearch_ids": [],
    "snapshot": null,
    "search_id": "d97dd9af-e33b-4878-91d6-cd5f7c742ff7"
    }
    Then you have to wait for the search to finish. Querying at some interval the below api
    curl -s -X GET -u USERNAME -H 'Version: 10.0' -H 'Accept: application/json' 'https://SERVER/api/ariel/searches/d97dd9af-e33b-4878-91d6-cd5f7c742ff7'
    the response payload will give you detail about if the search is finished
    {
    "cursor_id": "d97dd9af-e33b-4878-91d6-cd5f7c742ff7",
    "status": "COMPLETED",
    "compressed_data_file_count": 0,
    "compressed_data_total_size": 0,
    "data_file_count": 0,
    "data_total_size": 0,
    "index_file_count": 3,
    "index_total_size": 1119616,
    "processed_record_count": 0,
    "desired_retention_time_msec": 86400000,
    "progress": 100,
    "progress_details": [],
    "query_execution_time": 574,
    "query_string": "select * from events where sourceip='8.8.8.8' START PARSEDATETIME('1 minute ago')",
    "record_count": 0,
    "size_on_disk": 24,
    "save_results": false,
    "completed": true,
    "subsearch_ids": [],
    "snapshot": null,
    "search_id": "d97dd9af-e33b-4878-91d6-cd5f7c742ff7"
    }

    Finally to get your results you run the below.
    curl -s -X GET -u USERNAME -H 'Range: items=0-49' -H 'Version: 10.0' -H 'Accept: application/json' 'https://SERVER/api/ariel/searches/d97dd9af-e33b-4878-91d6-cd5f7c742ff7/results'


    ------------------------------
    Patrick Barnes
    ------------------------------