IBM QRadar
App Vendor: IBM
App Category: Analytics & SIEM
Connector Version: 2.7.0
API version: 11.0
Product Version: 7.3
About App
QRadar helps security teams to integrate with the IBM QRadar enterprise application to perform security activities like risk management, vulnerability management, forensics analysis, and incident response. IBM QRadar SIEM is part of the IBM QRadar Security Intelligence Platform.
QRadar app is configured with Orchestrate to perform the following actions:
Action Name | Description |
|---|---|
Adding a Closing Reason | This action adds a closing reason for an offense. |
Delete a Search | This action deletes a search. |
Get All QVM Assets | This action retrieves the QRadar Vulnerability Management assets. |
Get Assets | This action retrieves the available assets. |
Get Closing Reasons | This action retrieves the closing reasons for an offense. |
Get All Database Names | This action retrieves the database names. |
Get Elements of a Reference Data Set | This action retrieves the elements of a reference data set. |
Get Offense Details | This action retrieves the details of an offense. |
Get Offense Notes | This action retrieves the offense notes. |
Get Offenses | This action retrieves the offenses that were triggered in QRadar. |
Get Query Status | This action retrieves the status of a search query. |
Get Reference Data Sets | This action retrieves the reference data sets. |
Get Ariel Query Saved Searches | This action retrieves the Ariel query saved searches. |
Get Search Query Results | This action retrieves the search query results. |
Post an Offense Note | This action posts a note to an offense. |
Retrieve Search ID(s) | This action retrieves the search ID(s). |
Start New Search using Ariel QL | This action starts a new search using Ariel query language. |
Get/List Tenants | This action lists the available tenants. |
Get/List Domains | This action lists the available Domains. |
Get Log Source by ID | This action retrieves the log source by ID. |
Get Offense Source Address by ID | This action retrieves an offense source address by ID. |
Get Offense Destination Address by ID | This action retrieves an offense destination address by ID. |
List Log Sources | This action retrieves a list of log sources. |
List Offense Source Address | This action retrieves a list of offense source addresses currently in the system. |
List Offense Destination Addresses | This action retrieves a list of local offense destination addresses currently in the system. |
Add a New Reference Set | This action adds a new reference set. |
Update Offense | This action updates an offense. |
Add or Update an Element in a Reference Set | This action adds or updates an element in a reference set. |
Delete Reference Set | This action deletes a reference set. |
Get Reference Set Details | This action retrieves details of a reference set. |
Get Reference Tables | This action retrieve all the available reference tables. |
Get Offense Type by ID | This action retrieves an offense type structure that describes the properties of an offense type by ID. |
Add Data to a Reference Table | This action adds data to a reference table. |
Get Offense Type | This action retrieves a list of offense types. |
Bulk Load Reference Dataset | This action loads data from a single or multiple CSV files or a database table for reference. |
Delete Reference Table Value | This action deletes a value from a reference table. |
Delete Reference Set Value | This action deletes a value from a reference set. |
List Low Level Categories | This action retrieves a list of low level offense categories. |
List High Level Categories | This action retrieves a list of high level offense categories. |
Search Indicators in Events | This action searches for indicators in QRadar events. |
Prerequisites
All the actions configured in the QRadar app relate to private APIs. QRadar Enterprise subscription is required to access the private APIs.
Configuration Parameters
The following configuration parameters are required for the QRadar app to communicate with QRadar Enterprise application. The parameters can be configured by creating instances in the QRadar app.
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL for QRadar. Example: "https://domain.qradar.com" | Text | Required | |
Username | Enter the username to access the QRadar application. For example: "john.doe" | Text | Optional | |
Password | Enter the password to access the QRadar application. | Password | Optional | |
API token | Enter the API token to access the QRadar application. Example: "aT1xxxx5rzs" | Text | Optional | |
TLS Verification | Choose to either verify or skip the TLS certificate verification. Example: True | Boolean | Optional | Allowed value:
Default value: False |
QRadar API Version | Enter the QRadar API version. Example: "11.0" | Text | Optional | Default value: 11.0 |
Action: Adding a Closing Reason
This action adds a closing reason for an offense.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Reason | Enter a closing reason for an offense. Example: "Issue identified" | Text | Required | The text for the reason to close an offense must be 5 - 60 characters. |
Example Request
[
{
"reason": "Issue identified"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Integer | The ID of the closing reason. |
| String | The text of the closing reason. |
| Boolean | Determines whether the closing reason is deleted. Deleted closing reasons cannot be used to close an offense. |
| Boolean | Determines whether the closing reason is reserved. Reserved closing reasons cannot be used to close an offense. |
Action: Delete a Search
This action deletes an Ariel search. This action discards any results that were collected and stops the search if it is in progress. This search is deleted regardless of whether the results were saved.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Search ID | Enter the search ID of the search to delete. Example: "c02c77a7-9908-434d-9de4-3ec6ad1049b1" | Text | Required |
Example Request
[
{
"search_id": "c02c77a7-9908-434d-9de4-3ec6ad1049b1"
}
]Action: Get all QVM assets
This action retrieves all QRadar Vulnerability Management assets.
Action Input Parameters
This action does not require any action input parameter.
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each object includes the details of one asset. |
| Long | The ID of the asset. |
| Long | The ID of the domain this asset belongs to. |
| Long | The total number of vulnerabilities associated with this asset. |
| Double | The sum of the CVSS scores of the vulnerabilities on this asset. |
| Array | The hostnames on this asset. |
| Long | The ID of this hostname. |
| Enum | The type of hostname. One of "DNS", "NETBIOS", or "NETBIOSGROUP". |
| String | The hostname. |
| Long | The time this hostname was created. This time is in milliseconds since epoch. |
| Long | The time this hostname was first seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this hostname was first seen in event or flow traffic. This time is in milliseconds since epoch. |
| Long | The time this hostname was most recently seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this hostname was most recently seen in event or flow traffic. This time is in milliseconds since epoch. |
| Array | The interfaces on this asset. |
| Long | The ID of this interface. |
| String | The mac address of this interface. Null if Unknown. |
| Array | The IP addresses on this interface. |
| Long | The ID of this interface. |
| Long | The ID of the network this IP address belongs to in QRadar's network hierarchy. |
| String | The IP address. |
| Enum | The type of this IP address. One of "IPV4" or "IPV6". |
| Long | The time this IP address was created. This time is in milliseconds since epoch. |
| Long | The time this IP address was first seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this IP address was first seen in event or flow traffic. This time is in milliseconds since epoch. |
| Long | The time this IP address was most recently seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this IP address was most recently seen in event or flow traffic. This time is in milliseconds since epoch. |
| Long | The time this interface was created. This time is in milliseconds since epoch. |
| Long | The time this interface was first seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this interface was first seen in event or flow traffic. This time is in milliseconds since epoch. |
| Long | The time this interface was most recently seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this interface was most recently seen in event or flow traffic. This time is in milliseconds since epoch. |
| Array | The software products detected on this asset. |
| Long | The ID of this software product instance in QRadar's asset model. |
| Long | The ID of this software product variant in QRadar's catalog of products. |
| Long | The time this product was most recently scanned for. This time is in milliseconds since epoch. |
| Long | The time this product was first seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this product was first seen in event or flow traffic. This time is in milliseconds since epoch. |
| Long | The time this product was most recently seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this product was most recently seen in event or flow traffic. This time is in milliseconds since epoch. |
| Array | Various system and custom properties on this asset. |
| Long | The ID of this property. |
| Long | The ID of the type of this property. |
| String | The name of the type of this property. |
| String | The value of this property. |
| String | The source of the most recent update to this property. |
| Long | The time this property was last updated. This time is in milliseconds since epoch. |
| Array | The users associated with this asset. |
| Long | The ID of this username. |
| String | The username. |
| Long | The time this username was first seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this username was first seen in event or flow traffic. This time is in milliseconds since epoch. |
| Long | The time this username was most recently seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this username was most recently seen in event or flow traffic. This time is in milliseconds since epoch. |
Action: Get assets
This action retrieves all available assets.
Action Input Parameters
This action does not require any action input parameter.
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Long | The ID of the asset. |
| Long | The ID of the domain this asset belongs to. |
| Long | The total number of vulnerabilities associated with this asset. |
| Double | The sum of the CVSS scores of the vulnerabilities on this asset. |
| Array | The hostnames on this asset. |
| Long | The ID of this hostname. |
| Enum | The type of hostname. One of "DNS", "NETBIOS", or "NETBIOSGROUP". |
| String | The hostname. |
| Long | The time this hostname was created. This time is in milliseconds since epoch. |
| Long | The time this hostname was first seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this hostname was first seen in event or flow traffic. This time is in milliseconds since epoch. |
| Long | The time this hostname was most recently seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this hostname was most recently seen in event or flow traffic. This time is in milliseconds since epoch. |
| Array | The interfaces on this asset. |
| Long | The ID of this interface. |
| String | The mac address of this interface. Null if Unknown. |
| Array | The IP addresses on this interface. |
| Long | The ID of this interface. |
| Long | The ID of the network this IP address belongs to in QRadar's network hierarchy. |
| String | The IP address. |
| Enum | The type of this IP address. One of "IPV4" or "IPV6". |
| Long | The time this IP address was created. This time is in milliseconds since epoch. |
| Long | The time this IP address was first seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this IP address was first seen in event or flow traffic. This time is in milliseconds since epoch. |
| Long | The time this IP address was most recently seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this IP address was most recently seen in event or flow traffic. This time is in milliseconds since epoch. |
| Long | The time this interface was created. This time is in milliseconds since epoch. |
| Long | The time this interface was first seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this interface was first seen in event or flow traffic. This time is in milliseconds since epoch. |
| Long | The time this interface was most recently seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this interface was most recently seen in event or flow traffic. This time is in milliseconds since epoch. |
| Array | The software products detected on this asset. |
| Long | The ID of this software product instance in QRadar's asset model. |
| Long | The ID of this software product variant in QRadar's catalog of products. |
| Long | The time this product was most recently scanned for. This time is in milliseconds since epoch. |
| Long | The time this product was first seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this product was first seen in event or flow traffic. This time is in milliseconds since epoch. |
| Long | The time this product was most recently seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this product was most recently seen in event or flow traffic. This time is in milliseconds since epoch. |
| Array | Various system and custom properties on this asset. |
| Long | The ID of this property. |
| Long | The ID of the type of this property. |
| String | The name of the type of this property. |
| String | The value of this property. |
| String | The source of the most recent update to this property. |
| Long | The time this property was last updated. This time is in milliseconds since epoch. |
| Array | The users associated with this asset. |
| Long | The ID of this username. |
| String | The username. |
| Long | The time this username was first seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this username was first seen in event or flow traffic. This time is in milliseconds since epoch. |
| Long | The time this username was most recently seen during a vulnerability scan. This time is in milliseconds since epoch. |
| Long | The time this username was most recently seen in event or flow traffic. This time is in milliseconds since epoch. |
Action: Get Closing Reason
This action retrieves the closing reasons.
Action Input Parameters
This action does not require any action input parameter.
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each object includes the details of one asset. |
| Number | The ID of the closing reason. |
| String | The text of the closing reason. |
| Boolean | Determines whether the closing reason is deleted. Deleted closing reasons cannot be used to close an offense. |
| Boolean | Determines whether the closing reason is reserved. Reserved closing reasons cannot be used to close an offense. |
Action: Get Databases names
This action retrieves the names of all databases.
Action Input Parameters
This action does not require any action input parameter.
Action: Get Elements of a Reference Data Set
This action retrieves the elements of a reference data set.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Reference Data Set Name | Enter the name of the reference data set. Example: DHCP Servers | Text | Required |
Example Request
[
{
"reference_data_set_name": "DHCP Servers"
}
]Action: Get Offense Details
This action retrieves the details of an offense structure that describes the properties of an offense.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Offense ID | Enter the offense ID. Example: 705 | Text | Required | |
Headers | Enter the headers. Example: Range: items 0-1 | Key Value | False | |
Filter | Enter the filters to get the details of offenses. | Key Value | False |
Example Request
[
{
"offense_id": "705"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each JSON object includes the details of one offense. |
| Integer | The ID of the offense. |
| String | The description of the offense. |
| String | The user the offense is assigned to. |
| Array of Strings | Event categories that are associated with the offense. |
| Integer | The number of event categories that are associated with the offense. |
| Integer | The number of policy event categories that are associated with the offense. |
| Integer | The number of security event categories that are associated with the offense. |
| Integer | The number of milliseconds since epoch when the offense was closed. |
| String | The user that closed the offense. |
| Integer | The ID of the offense closing reason. The reason the offense was closed. |
| Integer | The credibility of the offense. |
| Integer | The relevance of the offense. |
| Integer | The severity of the offense. |
| Integer | The magnitude of the offense. |
| Array of Strings | The destination networks that are associated with the offense. |
| String | The source network that is associated with the offense. |
| Integer | The number of devices that are associated with the offense. |
| Integer | The number of events that are associated with the offense. |
| Integer | The number of flows that are associated with the offense. |
| Boolean | True if the offense is inactive. |
| Integer | The number of milliseconds since epoch when the last event contributing to the offense was seen. |
| Integer | The number of local destinations that are associated with the offense. |
| String | The source of the offense. |
| Integer | A number that represents the offense type. |
| Boolean | True if the offense is protected. |
| Boolean | True if the offense is marked for follow up. |
| Integer | The number of remote destinations that are associated with the offense. |
| Integer | The number of sources that are associated with the offense. |
| Integer | The number of milliseconds since epoch when the offense was started. |
| String | The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED". |
| Integer | The number of usernames that are associated with the offense. |
| Array of Integers | The source address IDs that are associated with the offense. |
| Array of Integers | The local destination address IDs that are associated with the offense. |
| Integer | Optional. ID of associated domain if the offense is associated with a single domain. |
| Integer | The number of milliseconds since epoch when an offense field was last updated. |
| Integer | The number of milliseconds since epoch at the time when the offense was created. |
| Array | An array of rules that contributed to the offense. |
| Long Integer | The id of the rule. |
| String | The type of rule. One of "ADE_RULE", "BUILDING_BLOCK_RULE", or "CRE_RULE". |
| Array | An array of log sources contributed to the offense. |
| Long Integer | The id of the log source. |
| String | The name of the log source. |
| Long Integer | The id of the log source type. |
| String | The name of the log source type. |
Action: Get Offense Notes
This action retrieves notes related to an offense.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Offense ID | Enter the offense ID of which you want to retrieve notes. Example: 705 | Text | True |
Example Request
[
{
"offense_id": "705"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Number | The ID of the note. |
| Number | The number of milliseconds since epoch when the note was created. |
| String | The user or authorized service that created the note. |
| String | The note text. |
Action: Get Offenses
This action retrieves a list of offenses that were triggered in QRadar.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Extra Filter Params | Enter additional parameters to filter the responses. For time-based filtering use EPOCH Time in millisecond format. | Key value | Optional | Allowed values: id, description, assigned_to, categories, category_count, close_time, credibility, severity, magnitude, event_count, flow_count, policy_category_count, security_category_count, closing_time, closing_reason_id, relevance, destination_network, source_network, device_count, inactive, last_updated_time, offense_source, offense_type, protected, follow_up, source_count, start_time, status, username_count, domain_id, rules: {id, type} |
Headers | Enter headers in the form of key-value pairs to get a paginated response. Example: Range: items=0-2 | Key value | Optional |
Example Request
[
{
"headers":
{
"Range":"items=0-2"
},
“filter”:
{
“id”: “10”,
“flow_count“: “42“,
“event_count“: “25“,
“follow_up”: “true”,
“magnitude”: “42”,
“protected”: “true”
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each JSON object includes the details of one offense. |
| Integer | The ID of the offense. |
| String | The description of the offense. |
| String | The user the offense is assigned to. |
| Array of Strings | Event categories that are associated with the offense. |
| Integer | The number of event categories that are associated with the offense. |
| Integer | The number of policy event categories that are associated with the offense. |
| Integer | The number of security event categories that are associated with the offense. |
| Integer | The number of milliseconds since epoch when the offense was closed. |
| String | The user that closed the offense. |
| Integer | The ID of the offense closing reason. The reason the offense was closed. |
| Integer | The credibility of the offense. |
| Integer | The relevance of the offense. |
| Integer | The severity of the offense. |
| Integer | The magnitude of the offense. |
| Array of Strings | The destination networks that are associated with the offense. |
| String | The source network that is associated with the offense. |
| Integer | The number of devices that are associated with the offense. |
| Integer | The number of events that are associated with the offense. |
| Integer | The number of flows that are associated with the offense. |
| Boolean | True if the offense is inactive. |
| Integer | The number of milliseconds since epoch when the last event contributing to the offense was seen. |
| Integer | The number of local destinations that are associated with the offense. |
| String | The source of the offense. |
| Integer | A number that represents the offense type. |
| Boolean | True if the offense is protected. |
| Boolean | True if the offense is marked for follow up. |
| Integer | The number of remote destinations that are associated with the offense. |
| Integer | The number of sources that are associated with the offense. |
| Integer | The number of milliseconds since epoch when the offense was started. |
| String | The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED". |
| Integer | The number of usernames that are associated with the offense. |
| Array of Integers | The source address IDs that are associated with the offense. |
| Array of Integers | The local destination address IDs that are associated with the offense. |
| Integer | Optional. ID of associated domain if the offense is associated with a single domain. |
| Integer | The number of milliseconds since epoch when an offense field was last updated. |
| Integer | The number of milliseconds since epoch at the time when the offense was created. |
| Array | An array of rules that contributed to the offense. |
| Long Integer | The id of the rule. |
| String | The type of rule. One of "ADE_RULE", "BUILDING_BLOCK_RULE", or "CRE_RULE". |
| Array | An array of log sources contributed to the offense. |
| Long Integer | The id of the log source. |
| String | The name of the log source. |
| Long Integer | The id of the log source type. |
| String | The name of the log source type. |
Action: Get Query Status
This action retrieves the status of an Ariel search query based on the search ID parameter. The same informational fields are returned regardless of whether the search is in progress or is complete.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Search ID | Enter the search ID of an Ariel search. Example: c02c77a7-9908-434d-9de4-3ec6ad1049b1 | Text | Required |
Example Request
[
{
"search_id": "c02c77a7-9908-434d-9de4-3ec6ad1049b1"
}
]Action: Get Reference Data Sets
This action retrieves the available reference data sets.
Action Input Parameters
This action does not require any action input parameter.
Action: Get Ariel Query Saved Searches
This action retrieves Ariel query saved searches.
Action Input Parameters
This action does not require any action input parameter.
Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Long | The ID of the Ariel saved search. |
| String | The uuid of the Ariel saved search. |
| String | The name of the Ariel saved search. |
| String | The database of the Ariel saved search, events or flows. |
| Boolean | True if the Ariel saved search is shared with other users. |
| String | The owner of the Ariel saved search. |
| String | The AQL query. |
| String | The description of the Ariel saved search. |
| Boolean | True if the Ariel saved search is an aggregate search. |
| Boolean | True if the Ariel saved search is in the dashboard. |
| Boolean | True if the Ariel saved search is default search. |
| Long | The time that this saved search was created, in milliseconds since the epoch. |
| Long | The time that this saved search was most recently modified, in milliseconds since the epoch. |
Action: Get Search Query Results
This action retrieves the search query results.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Search ID | Enter the search ID. Example: c02c77a7-9908-434d-9de4-3ec6ad1049b1 | Text | Required |
Example Request
[
{
"search_id": "c02c77a7-9908-434d-9de4-3ec6ad1049b1"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Array of JSON Objects | The search results for the specified search ID. |
Action: Post an Offense Note
This action posts a note to an offense.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Offense ID | Enter the offense ID to post the note. Example: 705 | Text | Required | |
Offense Note | Enter the note to post to the offense. Example: This is a Malware | Text | Required |
Example Request
[
{
"offense_id": "705",
"offense_note": "This is a Malware"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each object represents one note. |
| Number | The ID of the note. |
| Number | The number of milliseconds since epoch when the note was created. |
| String | The user or authorized service that created the note. |
| String | The note text. |
Action: Retrieve search ID(s)
This action can be used to retrieve search ID(s).
Action Input Parameters
This action does not require any action input parameter.
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of Strings | A list of search IDs. |
Action: Start New Search using Ariel QL
This action starts a new search using Ariel QL. This creates a new Ariel search as specified by the Ariel Query Language (AQL) query expression. Searches are executed asynchronously. A reference to the search ID is returned and should be used in subsequent API calls to determine the search status and retrieve the results after completion.
Queries are applied to the range of data in a certain time interval. By default, this time interval is the last 60 seconds.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Query Expression | Enter the Ariel QL expression to search. Example: select * from events | Text | Required |
Example Request
[
{
"query_expression": "select * from events"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Integer | Status of the newly created search. One of WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, and ERROR. |
| String | ID of the newly created search. |
| String | The cursor ID. |
| Array of JSON Objects | List of error messages. |
| Integer | Progress of the search. |
| Array | Details of the search progress. |
| Integer | Execution time of the search query. |
| String | Query string of the search. |
| Integer | Number of records. |
| Boolean | True if the search if saved. |
| Array | List of sub-searches. |
| Integer | Total data size. |
Action: List Tenants
This action retrieves a list of available tenants.
Note
You must have the System Administrator or Security Administrator permissions to perform this action.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Filter | Enter additional information in the form of key-value pairs to filter the response. | Key Value | Optional | Allowed values:
|
Headers | Enter headers in the form of key value pairs to get a paginated response. Example: Range: items=0-2 | Key Value | Optional |
Example Request
[
{
"headers":
{
"Range": "items=0-2"
},
“filter”:
{
“id”: “10”,
“flow_rate_limit“: “42“,
“event_rate_limit“: “42“,
“deleted”: “true”,
“description”: “QA Instance Tenant”,
“name”: “QA Tenant”
}
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each object represents one tenant. |
| Integer | The ID of the tenant. |
| String | The name of the tenant. |
| String | The description of the tenant. |
| Integer | The event rate limit that is assigned to the tenant. |
| Integer | The flow rate limit that is assigned to the tenant. |
| Boolean | Whether or not the tenant has been deleted. Will be true if the tenant has been deleted, and false if it is still active. |
Action: List Domains
This action retrieves a list of all the available domains.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Filter | Enter additional information in the form of key value pairs to filter the response. | Key Value | Optional | Allowed values:
|
Headers | Enter headers in the form of key-value pairs to get a paginated response. Example: Range: items=0-2 | Key Value | Optional |
Example Request
[
{
"headers":
{
"Range": "items=0-2"
},
“filter”:
{
“tenant_id”: “10”,
“qvm_scanner_ids“: “42“,
“log_source_ids“: “42“,
“log_source_group_ids”: “42”,
“flow_source_ids”: “42”,
“name”: “QA Domain”,
“flow_collector_ids”: “42”,
“event_collector_ids”: “42”,
“deleted”: “false”,
“description”: “QA Instance Domain”,
“custom_properties”: “42”,
“asset_scanner_ids”: “42”,
}
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each object represents one domain. |
| Integer | The ID of the domain. |
| String | The name of the domain. |
| String | The description given to the domain. |
| Integer | The ID of the tenant that this domain belongs to. |
| Boolean | Whether or not the domain has been deleted. |
| Array of Longs | The list of event collector IDs that are assigned to this domain. |
| Array of Longs | The list of disconnected log collector IDs that are assigned to this domain. |
| Array of Longs | The list of log source IDs that are assigned to this domain. |
| Array of Longs | The list of log source group IDs that are assigned to this domain. |
| Array of Custom Property Objects | The list of custom properties that are assigned to this domain. |
| Array of Longs | The list of flow source IDs that are assigned to this domain. |
| Array of Longs | The list of flow collector IDs that are assigned to this domain. |
| Array of Longs | The list of asset scanner IDs that are assigned to this domain. |
| Array of Longs | The list of QVM scanner IDs that are assigned to this domain. |
| Array of Longs | The list of flow VLAN IDs that are assigned to this domain. |
Action: Get Log Source by ID
This action retrieves a log source by ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Log Source ID | Enter the ID of the log source to retrieve details. example: 10 | Text | Required | |
Filter | Enter additional information in the form of key-value pairs to filter the response. | Key Value | Optional |
Example Request
[
{
"id": "10",
“filter”: {}
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Number | The ID of the log source. |
| String | The unique name of the log source. |
| String | An optional description of the log source. |
| Number | The type of the log source. Must correspond to an existing log source type. |
| Number | The type of protocol that is used by the log source. Must correspond to an existing protocol type. Individual log source types can support only a subset of all available protocol types, as indicated by the protocol_types field of the log source type structure. |
| Array | The set of protocol parameters. This set is a collection of ProtocolParameter structures. The structure of the parameters is defined by the protocol type that is used by the log source. |
| Boolean | If the log source is enabled, the condition is set to 'true'; otherwise, the condition is set to 'false'. |
| Boolean | If the log source is configured as a gateway, the condition is set to 'true'; otherwise, the condition is set to 'false'. A gateway log source is a stand-alone protocol configuration. The log source receives no events itself, and serves as a host for a protocol configuration that retrieves event data to feed other log sources. It acts as a "gateway" for events from multiple systems to enter the event pipeline. |
| Boolean | If the log source is internal (when the log source type is defined as internal), the condition is set to 'true'. |
| Short | On a scale of 0 - 10 inclusive, the amount of credibility that the QRadar administrator places on this log source. |
| Number | The ID of the event collector where the log source sends its data. The ID must correspond to an existing event collector. |
| Number | The ID of the disconnected log collector where this log source will run. The ID must correspond to an existing disconnected log collector. |
| Boolean | If events collected by this log source are coalesced based on common properties, the condition is set to 'true'. If each individual event is stored, then the condition is set to 'false'. |
| Boolean | If the payloads of events that are collected by this log source are stored, the condition is set to 'true'. If only the normalized event records are stored, then the condition is set to 'false'. |
| Long | The log source extension associated with the log source. The ID must correspond to an existing log source extension or be set to 'null'. |
| Integer | The language of the events that are being processed by this log source. Must correspond to an existing log source language. Individual log source types can support only a subset of all available log source languages, as indicated by the supported_language_ids field of the log source type structure. |
| Array | The set of log source group IDs this log source is a member of. Each ID must correspond to an existing log source group. |
| Boolean | Set to 'true' if you need to deploy changes to enable the log source for use; otherwise, set to 'false' if the log source is already active. |
| Object | The status of the log source. |
| Boolean | If the log source was auto-discovered, the condition is set to 'true'. If the log source was created by a user, then the condition is set to 'false'. |
| Number | The average events per second (EPS) rate of the log source over the last 60 seconds. |
| Number | The creation date/time of the log source (in milliseconds since epoch). |
| Number | The last modified date/time of the log source (in milliseconds since epoch). |
| Number | The date/time of the last event received by the log source (in milliseconds since epoch). |
| Long | The internal WinCollect destination for this log source, if applicable. Log sources without an associated WinCollect agent have a null value. Must correspond to an existing WinCollect destination. |
| Array<Long> | The set of external WinCollect destinations for this log source, if applicable. Log Sources without an associated WinCollect agent have a null value. |
| Array<Long> | The name of the legacy bulk group that this log source belongs to. If the field is null, then the log source is not part of any legacy bulk groups. |
| String | The ip of the system which the log source is associated to, or fed by. |
| Integer | The order in which log sources will parse if multiple exists with a common identifier. |
Action: Get Offense Source Address by ID
This action retrieves an offense source address by ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Source address ID | Enter the source address unique ID. Example: 10 | Text | Required | |
Filter | Enter additional information in the form of key-value pairs to filter the response.key-value | Key Value | Optional | |
Headers | Enter the range headers in the form of key value pairs to get a paginated response. Example: Range: items=0-2 | Key Value | Optional |
Example Request
[
{
"id": "10",
“headers”:
{
"Range": "items=0-2"
},
“filter”: {}
}
]Action: Get Offense Destination Address by ID
This action retrieves an offense destination address by ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Destination Address ID | Enter the destination address unique ID to retrieve the offense destination address. Example: 2 | Text | Required |
Example Request
[
{
"destination_address_id": "2"
}
]Action: List Log Sources
This action retrieves a list of log sources.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Filter | Enter additional information in the form of key value pairs to filter the response. | Key Value | Optional | |
Headers | Enter headers in the form of key value pairs to get a paginated response. Example: Range: items=0-2 | Key Value | Optional |
Example Request
[
{
"filter": {},
“headers”:
{
"Range": "itmes=0-2"
},
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each object represents one log source. |
| Number | The ID of the log source. |
| String | The unique name of the log source. |
| String | An optional description of the log source. |
| Number | The type of the log source. Must correspond to an existing log source type. |
| Number | The type of protocol that is used by the log source. Must correspond to an existing protocol type. Individual log source types can support only a subset of all available protocol types, as indicated by the protocol_types field of the log source type structure. |
| Array | The set of protocol parameters. This set is a collection of ProtocolParameter structures. The structure of the parameters is defined by the protocol type that is used by the log source. |
| Boolean | If the log source is enabled, the condition is set to 'true'; otherwise, the condition is set to 'false'. |
| Boolean | If the log source is configured as a gateway, the condition is set to 'true'; otherwise, the condition is set to 'false'. A gateway log source is a stand-alone protocol configuration. The log source receives no events itself, and serves as a host for a protocol configuration that retrieves event data to feed other log sources. It acts as a "gateway" for events from multiple systems to enter the event pipeline. |
| Boolean | If the log source is internal (when the log source type is defined as internal), the condition is set to 'true'. |
| Short | On a scale of 0 - 10 inclusive, the amount of credibility that the QRadar administrator places on this log source. |
| Number | The ID of the event collector where the log source sends its data. The ID must correspond to an existing event collector. |
| Number | The ID of the disconnected log collector where this log source will run. The ID must correspond to an existing disconnected log collector. |
| Boolean | If events collected by this log source are coalesced based on common properties, the condition is set to 'true'. If each individual event is stored, then the condition is set to 'false'. |
| Boolean | If the payloads of events that are collected by this log source are stored, the condition is set to 'true'. If only the normalized event records are stored, then the condition is set to 'false'. |
| Long | The log source extension associated with the log source. The ID must correspond to an existing log source extension or be set to 'null'. |
| Integer | The language of the events that are being processed by this log source. Must correspond to an existing log source language. Individual log source types can support only a subset of all available log source languages, as indicated by the supported_language_ids field of the log source type structure. |
| Array | The set of log source group IDs this log source is a member of. Each ID must correspond to an existing log source group. |
| Boolean | Set to 'true' if you need to deploy changes to enable the log source for use; otherwise, set to 'false' if the log source is already active. |
| Object | The status of the log source. |
| Boolean | If the log source was auto-discovered, the condition is set to 'true'. If the log source was created by a user, then the condition is set to 'false'. |
| Number | The average events per second (EPS) rate of the log source over the last 60 seconds. |
| Number | The creation date/time of the log source (in milliseconds since epoch). |
| Number | The last modified date/time of the log source (in milliseconds since epoch). |
| Number | The date/time of the last event received by the log source (in milliseconds since epoch). |
| Long | The internal WinCollect destination for this log source, if applicable. Log sources without an associated WinCollect agent have a null value. Must correspond to an existing WinCollect destination. |
| Array<Long> | The set of external WinCollect destinations for this log source, if applicable. Log Sources without an associated WinCollect agent have a null value. Each ID must correspond to an existing WinCollect destination. |
| Array<Long> | The name of the legacy bulk group that this log source belongs to. If the field is null, then the log source is not part of any legacy bulk groups. |
| String | The ip of the system which the log source is associated to, or fed by. |
| Integer | The order in which log sources will parse if multiple exists with a common identifier. |
Action: List Offense Source Address
This action retrieves a list of offense source addresses currently in the system.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Filter | Enter additional information as key-value pairs to filter the response. | Key Value | Optional | |
Headers | Enter headers as key-value pairs to get a paginated response. Example: Range: items=0-2 | Key Value | Optional |
Example Request
[
{
“headers”:
{
"Range": "items=0-2"
},
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each object represents one source. |
| Number | The ID of the source. |
| String | The IP address. |
| Number | The magnitude of the source address. |
| String | The network of the source address. |
| Array of Numbers | List of offense IDs the source is part of. |
| Array of Numbers | List of local destination address IDs associated with the source address. |
| Number | The number of events and flows that are associated with the source. |
| Number | The number of milliseconds since epoch when the first event or flow was seen. |
| Number | The number of milliseconds since epoch when the last event or flow was seen. |
| Number | The ID of associated domain. |
Action: List Offense Destination Addresses
This action retrieves a list of local offense destination addresses currently in the system.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Filter | Enter additional information in the form of key-value pairs to filter the response. | Key Value | Optional | |
Headers | Enter headers in the form of key-value pairs to get a paginated response. Example: Range: items=0-2 | Key Value | Optional |
Example Request
[
{
“headers”:
{
"Range": "items=0-2"
},
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each object represents one destination. |
| Number | The ID of the destination address. |
| String | The IP address. |
| Number | The magnitude of the destination address. |
| String | The network of the destination address. |
| Array of Numbers | List of offense IDs the destination address is part of. |
| Array of Numbers | List of source address IDs associated with the destination address. |
| Number | The number of events and flows that are associated with the destination address. |
| Number | The number of milliseconds since epoch when the first event or flow was seen. |
| Number | The number of milliseconds since epoch when the last event or flow was seen. |
| Number | The ID of associated domain. |
Action: Add a New Reference Set
This action adds a new reference set.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Reference Set Name | Enter the name of the reference set. Example: Blacklist IP | Text | Required | |
Reference Set Element Type | Enter the element type for the values allowed in the reference set. | Text | Required | Allowed values:
|
Time to Live | Enter the time to live interval. Example: 1 month 1 hour 5 minutes | Text | Optional | |
Timeout Type | Enter the timeout type. This specifies whether the time_to_live interval is based on when the data was first observed, last observed, or if the time of observation is unknown | Text | Optional | Allowed values:
By default, the value is "UNKNOWN" |
Example Request
[
{
"element_type": "IP",
"time_to_live": "5 minutes",
"timeout_type": "FIRST_SEEN",
"reference_set_name": "Blacklist IP"
}
]Action: Update Offense
This action updates an offense.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Offense ID | Enter the offense ID to update. Example: 705 | Text | Required | |
Query | Enter key-value pairs to update the offense. Example:
| Key Value | Optional | Allowed values: id, description, assigned_to, categories, category_count, close_time, credibility, severity, magnitude, event_count, flow_count, policy_category_count, security_category_count, closing_time, closing_reason_id, relevance, destination_network, source_network, device_count, inactive, last_updated_time, offense_source, offense_type, protected, follow_up, source_count, start_time, status, username_count, domain_id, rules: {id, type} |
Example Request
[
{
"query": {
"assigned_to": "johndoe"
},
"offense_id": "705"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each JSON object includes the details of one offense. |
| Integer | The ID of the offense. |
| String | The description of the offense. |
| String | The user the offense is assigned to. |
| Array of Strings | Event categories that are associated with the offense. |
| Integer | The number of event categories that are associated with the offense. |
| Integer | The number of policy event categories that are associated with the offense. |
| Integer | The number of security event categories that are associated with the offense. |
| Integer | The number of milliseconds since epoch when the offense was closed. |
| String | The user that closed the offense. |
| Integer | The ID of the offense closing reason. The reason the offense was closed. |
| Integer | The credibility of the offense. |
| Integer | The relevance of the offense. |
| Integer | The severity of the offense. |
| Integer | The magnitude of the offense. |
| Array of Strings | The destination networks that are associated with the offense. |
| String | The source network that is associated with the offense. |
| Integer | The number of devices that are associated with the offense. |
| Integer | The number of events that are associated with the offense. |
| Integer | The number of flows that are associated with the offense. |
| Boolean | True if the offense is inactive. |
| Integer | The number of milliseconds since epoch when the last event contributing to the offense was seen. |
| Integer | The number of local destinations that are associated with the offense. |
| String | The source of the offense. |
| Integer | A number that represents the offense type. |
| Boolean | True if the offense is protected. |
| Boolean | True if the offense is marked for follow up. |
| Integer | The number of remote destinations that are associated with the offense. |
| Integer | The number of sources that are associated with the offense. |
| Integer | The number of milliseconds since epoch when the offense was started. |
| String | The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED". |
| Integer | The number of usernames that are associated with the offense. |
| Array of Integers | The source address IDs that are associated with the offense. |
| Array of Integers | The local destination address IDs that are associated with the offense. |
| Integer | Optional. ID of associated domain if the offense is associated with a single domain. |
| Integer | The number of milliseconds since epoch when an offense field was last updated. |
| Integer | The number of milliseconds since epoch at the time when the offense was created. |
| Array | An array of rules that contributed to the offense. |
| Long Integer | The id of the rule. |
| String | The type of rule. One of "ADE_RULE", "BUILDING_BLOCK_RULE", or "CRE_RULE". |
| Array | An array of log sources contributed to the offense. |
| Long | The id of the log source. |
| String | The name of the log source. |
| Long | The id of the log source type. |
| String | The name of the log source type. |
Action: Add or Update an Element in a Reference Set
This action adds or updates an element in a reference set.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Reference Set Name | Enter the name of the reference set. Example: Blacklist IP | Text | Required | |
Element Value | Enter an element value to add or update in the given reference set. Date values must be represented in Epoch milliseconds. Example: 1.0.0.0 | Text | Required | |
Fields | Enter the fields to be fetched in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three), field_four | Text | Optional | |
Element Source | Enter the source where the data is originated. | Text | Optional | Default value: reference data API |
Example Request
[
{
"value": "1.0.0.0",
"reference_set_name": "DHCP Servers"
}
]Action: Delete Reference Set
This action deletes a reference set.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Reference Set Name | Enter the name of the reference set to delete. Example: Blacklist IP | Text | Required |
Example Request
[
{
"reference_set_name": "Blacklist IP"
}
]Action: Get Reference Set Details
This action retrieves details of a reference set.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Reference Set Name | Enter the name of the reference set. Example: DHCP Servers | Text | Required |
Example Request
[
{
"reference_data_set_name": "DHCP Servers"
}
]Action: Get Reference Tables
This action retrieves all the available reference tables.
Action Input Parameters
This action does not require any action input parameter.
Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each object represents one reference table. |
| Integer | The collection ID. |
| Integer | The creation time. |
| String | The element type. One of: ALN, NUM, IP, PORT, ALNIC, DATE. |
| String | The label of the element. |
| JSON Object | The labels of the element types. One of: ALN, NUM, IP, PORT, ALNIC, DATE. |
| String | The name of the reference table. |
| String | The namespace of the reference table. One of: PRIVATE, SHARED, TENANT. |
| Integer | The number of elements in the table. |
| String | The time to live. |
| String | The timeout type. One of: UNKNOWN, FIRST_SEEN, LAST_SEEN. |
Action: Get Offense Type by ID
This action retrieves an offense-type structure that describes the properties of an offense type by ID.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Offense Type ID | Enter the ID of the offense type. Example: 18 | Text | Required | |
Filter | Enter additional information in the form of key-value pairs to filter the response. | Key Value | Optional |
Example Request
[
{
"filter": {
"custom": "true"
},
"offense_type_id": "18"
}
]Action: Add Data to a Reference Table
This action adds data to a reference table.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Reference Table Name | Enter the name of the reference table to create. Example: Spam Senders Data | Text | Required | |
Outer Key | Enter the outer key for adding the element to the reference table. Example: "source" | Text | Required | |
Inner Key | Enter the inner key for the element to be added to the reference table. Example: key_name_types | Text | Required | |
Extra Params | Enter any additional parameters to add as key-value pairs. | Key Value | Optional | |
Value | Enter the value of the element to be added to the reference table. Date values must be represented in milliseconds since the Unix Epoch on January 1st, 1970. Example: reference value | Text | Required |
Example Request
[
{
"query_data": {
"value": "reference value",
"inner_key": "source",
"outer_key": "key_name_types"
},
"table_name": "Spam Senders Data"
}
]Action: Get Offense Type
This action retrieves the list of all offense types with the properties of an offense type.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Filter | Enter additional information in the form of key-value pairs to filter the response. | Key Value | Optional |
Example Request
[
{
“filters”: {
"custom": "true"
}
}
]Action: Bulk Load Reference Dataset
This action loads data from single or multiple CSV files or a database table for reference.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Reference Set Name | Enter the name of the reference set to update. Example: Aon_Testing | Text | Required | |
Reference Set Value | Enter the list of data to add or update in the reference set. Example: 1.0.0.0 | Text | Required |
Example Request
[
{
"reference_set_name": "Aon_Testing",
"reference_set_value": [
"2.1.1.1",
"8.8.7.8"
]
}
]Action: Delete Reference Set Value
This action deletes a value from a reference set.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Reference Set Name | Enter the name of the reference set to remove a value from. Example: "spam_dataset" | Text | Required | |
Reference Set Value | Enter the value to be removed from the reference set. Example: "reference_set_value" | Text | Required | Note: Dates should be entered in milliseconds since the Unix Epoch, which started on January 1st, 1970. |
Example Request
[
{
"reference_set_name": "spam_dataset",
"reference_set_value": "reference_set_value"
}
]Action: Delete Reference Table Value
This action deletes a value from a reference table.
Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Reference Table Name | Enter the name of the reference table from which you want to remove a value. Example: Spam senders data | Text | Required | |
Outer Key | Enter the outer key of the value you want to remove. Example: key_name_types | Text | Required | |
Inner Key | Enter the inner key of the value you want to remove. Example: source | Text | Required | |
Reference Set Value | Enter the reference set value to be deleted from the reference table. Example: "reference_set_value" | Text | Required | Date values must be represented in milliseconds since the Unix Epoch, January 1st 1970. |
Example Request
[
{
"table_name": "Spam senders data",
"outer_key": "key_name_types",
"inner_key": "source",
"value": "reference_set_value"
}
]Action: List Low Level Categories
This action retrieves a list of low level offense categories.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Range | Enter the range to return the elements. Example: items=0-5 | Text | Optional | The list is indexed starting at zero. |
Filter | Enter the filter to limit and fetch appropriate results. Example: id=4001 | Text | Optional | |
Fields | Enter the fields to be returned in the response. Example: id | Text | Optional | Fields that are not named are excluded. Specify subfields in brackets. Multiple fields in the same object are separated by commas. |
Sort | Enter the sorting order of elements in a list. Example: asc | Text | Optional |
Example Request
[
{
“range: "items=0-5",
"filters”: "id=4001",
"fields”: "id”,
“sort”: "asc”
}
]Action: List High Level Categories
This action retrieves a list of high level offense categories.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Range | Enter the range to return the elements. Example: "items=0-5" | Text | Optional | The list is indexed starting at zero |
Filter | Enter the filter to limit and fetch appropriate results. Example: "id=4001" | Text | Optional | |
Fields | Enter the fields to be returned in the response. Example: "id" | Text | Optional | Fields that are not named are excluded. Specify subfields in brackets. Multiple fields in the same object are separated by commas. |
Sort | Enter the sorting order for elements in the list. Example: "asc" | Text | Optional |
Example Request
[
{
“range: "items=0-5",
"filters”: "id=4001",
"fields”: "id”,
“sort”: "asc”
}
]Action Response Parameters
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each object represents one category. |
| Number | The ID of the high level category. |
| String | The name of the high level category. |
| String | The description of the high level category. |
Action: Search Indicators in Events
This action searches for indicators in QRadar events.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
IP | Enter one or more IP addresses in a list. Example: $LIST['1.1.1.1'] | List | Optional | |
Username | Enter one or more usernames in a list. Example: $LIST['john'] | List | Optional | |
URL | Enter one or more URLs in a list. Example: $LIST[‘https://www.sampledomain.com'] | List | Optional | |
MD5 Hash | Enter one or more MD5 hash values in a list. Example: $LIST['d41d8cd98f00b204e9800998ecf8427e'] | List | Optional | |
SHA-256 Hash | Enter one or more SHA256 hash values in a list. Example: $LIST['e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'] | List | Optional | |
SHA-1 Hash | Enter one or more SHA1 hash values in a list. Example: $LIST['2aae6c35c94fcfb415dbe95f408b9ce91ee846ed'] | List | Optional | |
Search String | Enter the query string to search for indicators in the event name and description. Example: ['exampleevent'] | List | Optional |
Example Request
[
{
"ip": [
"1.1.1.1"
],
"url": "[https://www.sampledomain.com]",
"username": "[JohnDoe]"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.response | JSON Object | Includes the response received from the app action. Each key within this object represents a specific aspect of the response. |
app_instance.response.completed | Boolean | Indicates whether the process is completed or not. Example: true |
app_instance.response.compressed_data_file_count | Integer | The number of compressed data files. Example: 5 |
app_instance.response.compressed_data_total_size | Long | The total size of compressed data files in bytes. Example: 10485760 |
app_instance.response.cursor_id | String | The ID of the cursor for tracking the query results. Example: "abc123" |
app_instance.response.data_file_count | Integer | The number of data files. Example: 3 |
app_instance.response.data_total_size | Long | The total size of data files in bytes. Example: 20485760 |
app_instance.response.desired_retention_time_msec | Long | The desired retention time in milliseconds. Example: 86400000 |
app_instance.response.index_file_count | Integer | The number of index files. Example: 1 |
app_instance.response.index_total_size | Long | The total size of index files in bytes. Example: 102400 |
app_instance.response.processed_record_count | Integer | The number of records that have been processed. Example: 5000 |
app_instance.response.progress | Integer | The progress of the query, represented as a percentage. Example: 75 |
app_instance.response.progress_details | Array | Detailed information about the progress, typically an empty array if not provided. |
app_instance.response.query_execution_time | Long | The time taken to execute the query in milliseconds. Example: 2500 |
app_instance.response.query_string | String | The SQL query string used to retrieve the data. Example: "SELECT * FROM table_name" |
app_instance.response.record_count | Integer | The total number of records returned by the query. Example: 10000 |
app_instance.response.save_results | Boolean | Indicates whether the results are saved. Example: true |
app_instance.response.search_id | String | The unique identifier for the search operation. Example: "search123" |
app_instance.response.size_on_disk | Long | The size of the data on disk in bytes. Example: 409600 |
app_instance.response.status | String | The current status of the query, e.g., 'WAIT', 'RUNNING', 'COMPLETED'. Example: "COMPLETED" |
app_instance.response.subsearch_ids | Array | An array of subsearch IDs associated with the main search. Example: ["subsearch1", "subsearch2"] |