IBM Security ReaQta
App Vendor: IBM Corporation
App Category: Network Security
Connector Version: 1.0.0
API Version: v1
About App
IBM Security ReaQta is an Endpoint Detection and Response (EDR) solution that helps organizations to protect endpoints against zero-day threats.
The IBM Security ReaQta app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Add Notes Alert | This action adds notes to an alert. |
Close an Alert | This action closes an alert. |
Generic Action | This is a generic action to perform any additional use case on the Elastic SIEM. |
Get Alert Details | This action retrieves the details of an alert. |
Get Alert Event | This action retrieves the events of an alert. |
Get Alerts | This action retrieves a list of alerts. |
Get Endpoint Details | This action retrieves the details of an endpoint. |
Get Endpoints | This action retrieves a list of endpoints. |
Isolate Endpoint | This action isolates an endpoint. |
Remove Isolation for Endpoint | This action removes an endpoint from isolation. |
Search Events | This action searches for events. |
Configuration Parameters
The following configuration parameters are required for the IBM Security ReaQta app to communicate with the IBM Security ReaQta enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Base URL | Enter the base URL of the IBM Security ReaQta app. Example: "https://www.ibm.com" | Text | Required | |
App ID | Enter the app ID. Example: "Sample app ID" | Text | Required | |
Secret Key | Enter the secret key. | Password | Required |
Action: Add Notes Alert
This action adds notes to an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID. Example: "8746422719983124xx" | Text | Required | You can retrieve the alert ID using the Get Alerts action. |
Notes | Enter the notes to be added. Example: "Priority alert" | Text | Required |
Example Request
[
{
"alert_id": "8746422719983124xx",
"notes": "Priority alert"
}
] Action: Close an Alert
This action closes an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID. Example: "8746422719983124xx" | Text | Required | You can retrieve the alert ID using the Get Alerts action. |
Malicious | Optional preference to mark an alert as malicious. Example: true | Boolean | Optional | Allowed values:
Default value: false |
Example Request
[
{
"alert_id": "8746422719983124xx",
"malicious": true
}
] Action: Generic Action
This is a generic action to perform any additional use case on the Elastic SIEM.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint | Enter the complete API endpoint to send a request. Example: "https://www.ibm.com/users/" | Text | Required |
|
HTTP Method | Enter an HTTP method in capital letters. Example: "POST" | Text | Required |
|
Request Body | Enter the request body in JSON format. Example: $JSON[{'x1':'y2'}] | JSON | Optional |
|
Query Params | Enter the query parameters in JSON format. Example: $JSON[{'a1':'b2'}] | JSON | Optional |
|
Example Request
[
{
"method":"POST",
"endpoint":"https://www.ibm.com/users/",
"query_params":{"x1":"y2"},
"payload_data":{"a1":"b2"}
}
] Action: Get Alert Details
This action retrieves the details of an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID. Example: "8746422719983124xx" | Text | Required | You can retrieve the alert ID using the Get Alerts action. |
Example Request
[
{
"alert_id": "8746422719983124xx"
}
] Action: Get Alert Event
This action retrieves the events of an alert.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Alert ID | Enter the alert ID. Example: "8746422719983124xx" | Text | Required | You can retrieve the alert ID using the Get Alerts action. |
Filters | Enter the filters to narrow down the results. Example: $JSON[{'country': 'USA'}] | JSON | Optional | Allowed keys:
|
Example Request
[
{
"alert_id": "8746422719983124xx",
"filters": {"country": "USA"}
}
] Action: Get Alerts
This action retrieves a list of alerts.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter the filters to narrow down the search. Example: $JSON[{'severity': 'High'}] | JSON | Optional | Allowed keys:
|
Example Request
[
{
"filters": {"severity": "High"}
}
] Action: Get Endpoint Details
This action retrieves the details of an endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint ID | Enter the endpoint ID. Example: "5788530672570204xx" | Text | Required | You can retrieve the endpoint ID using the Get Endpoints action. |
Example Request
[
{
"endpoint_id": "5788530672570204xx"
}
] Action: Get Endpoints
This action retrieves a list of endpoints.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Filters | Enter the filters to narrow down the results. Example: $JSON[{'connected': true}] | JSON | Optional | For a complete list of allowed keys, see ReaQta API Reference. |
Example Request
[
{
"filters": {"connected": true}
}
]Action: Isolate Endpoint
This action isolates an endpoint.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint ID | Enter the endpoint ID to isolate. Example: "5788530672570204xx" | Text | Required | You can retrieve the endpoint ID using the Get Endpoints action. |
Example Request
[
{
"endpoint_id": "5788530672570204xx"
}
] Action: Remove Isolation for Endpoint
This action removes an endpoint from isolation.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Endpoint ID | Enter the endpoint id to remove from isolation. Example: "5788530672570204xx" | Text | Required |
Example Request
[
{
"endpoint_id": "5788530672570204xx"
}
] Action: Search Events
This action searches for events.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Limit | Enter the number of items to return per page. Example: 50 | Integer | Optional | Default value:50 |
Sort By | Enter the preference to sort the search result. Example: "asc" | Text | Optional | Allowed values:
|
Group ID | Enter a group ID to return events of the endpoints that belong to the group. Example: "sample ID" | List | Optional |
Example Request
[
{
"limit": 50,
"sort_by":"asc",
"group_id": "sample ID"
}
]