IBM Security QRadar

 View Only

  • 1.  How to determine QRadar API base URI?

    Posted Wed August 25, 2021 03:47 AM
    Hi all. Can some one guide me how to determine QRadar API base URI?
    Thanks so much!

    ------------------------------
    Le Hieu
    ------------------------------


  • 2.  RE: How to determine QRadar API base URI?

    IBM Champion
    Posted Thu September 02, 2021 06:33 AM
    not sure what you are looking for.
    API documentation in admin GUI will show your individual URI for your GET and POST commands as well as the "base" URI.
    CLI sample output:

    [root@localhost ~]# curl -s -X GET -u admin -H 'Version: 12.0' -H 'Accept: application/json' 'https://192.168.1.80/api/siem/offenses/100'
    Enter host password for user 'admin':
    {"username_count":1,"description":"Suspicious Activity Followed by Endpoint Administration task\n preceded by Recovery Disabled in Boot Options\n containing Success Audit: A new process has been created\n","rules":[{"id":106322,"type":"CRE_RULE"},{"id":103322,"type":"CRE_RULE"}],"event_count":21,"flow_count":0,"assigned_to":null,"security_category_count":2,"follow_up":false,"source_address_ids":[343],"source_count":1,"inactive":false,"protected":false,"closing_user":null,"destination_networks":["Net-10-172-192.Net_192_168_0_0"],"source_network":"Net-10-172-192.Net_192_168_0_0","category_count":2,"close_time":null,"remote_destination_count":0,"start_time":1630523087016,"magnitude":5,"last_updated_time":1630523088523,"credibility":3,"id":100,"categories":["Process Creation Success","Suspicious Activity"],"severity":8,"policy_category_count":0,"log_sources":[{"type_name":"EventCRE","type_id":18,"name":"Custom Rule Engine-8 :: localhost","id":63},{"type_name":"WindowsAuthServer","type_id":12,"name":"windows106","id":412}],"closing_reason_id":null,"device_count":2,"offense_type":51,"relevance":4,"domain_id":0,"offense_source":"ADNB-SD","local_destination_address_ids":[10],"local_destination_count":1,"status":"OPEN"}[root@localhost ~]#

    In this case password is entered interactively on the host itself. When your request is issued by script, you need to supply an auth token using the -H parameter, see sample offense script below

    #!/bin/bash
    console_ip=$1
    api_token=$2
    offense_id=$3
    auth_header="SEC:$api_token"
    output=$(curl -k -H $auth_header https://$console_ip/console/restapi/api/siem/offenses/$offense_id)
    # Basic print out of the output of the command
    echo $output

    Of course you can use hostnames instead of IP addresses if your local DNS is setup.
    hope this helps

    ------------------------------
    [Karl] [Jaeger] [Business Partner]
    [QRadar Specialist]
    [pro4bizz]
    [Karlsruhe] [Germany]
    [4972190981722]
    ------------------------------

    Original Message