IBM Security QRadar

 View Only
  • 1.  REST API filter for description field

    Posted Wed July 01, 2020 01:50 AM
    Hi 

    I want to use REST API to filter description field in the offense data but I am keep getting error message

    for example when I do 
    description="XXXXX" then got following error
    An error occurred while the offense list was being retrieved.
    Filtering is unsupported on the field: description

    if I do 
    description=xxxxx* then got following error

    The filter parameter is not valid
    A filter parameter was invalid. Please make sure that the syntax is correct: Error Parsing filter

    Anyone have any suggestion regarding what syntax I should use when filtering description field?

    Regards


    ------------------------------
    Linsong Guo
    ------------------------------


  • 2.  RE: REST API filter for description field

    Posted Thu July 02, 2020 10:23 AM
    Just guessing here, but how about description ilike "xxxxx%" for case insensitive comparison. I am assuming description is a character field. I haven't messed with offenses in the API.



    ------------------------------
    _____________________
    Daniel Sichel
    ------------------------------



  • 3.  RE: REST API filter for description field

    Posted Thu July 02, 2020 10:56 PM
    Hi Daniel

    Thank you for your reply but it throw me error message Filtering is unsupported on the field: description

    Does this mean the description field does not support any filter?

    Regards
    Linsong






  • 4.  RE: REST API filter for description field

    Posted Fri July 03, 2020 01:18 PM
    Hi Linsong Guo, indeed the description field is not filterable / Sortable.


    ------------------------------
    Juan Ignacio Leon Plaza
    Security Expert Labs Specialist
    IBM
    Santiago
    ------------------------------



  • 5.  RE: REST API filter for description field

    Posted Mon July 06, 2020 02:01 PM
    It looks like your best bet would be to launch the query from a python script and then filter the results programatically. 


    ------------------------------
    _____________________
    Daniel Sichel
    ------------------------------



  • 6.  RE: REST API filter for description field

    Posted Thu July 02, 2020 10:28 AM

    Hi Linsong Guo,
          Take a look at the api_doc of your Qradar deployment, you will see a description list of the available fields and also a a description indicating if the fields are able to be filtered or sorted, you will note the description field is not filterable nor sortable (API version: 13.1).

    • id - Number - The ID of the offense. (Filterable. Sortable.)
    • description - String - The description of the offense.
    • assigned_to - String - The user the offense is assigned to. (Filterable. Sortable.)


    Greetings,

    Juan Ignacio León.



    ------------------------------
    Juan Ignacio Leon Plaza
    ------------------------------