IBM QRadar
IBM QRadar is a network security management platform that provides situational awareness and uses a combination of flow-based network knowledge, security event correlation, and asset-based vulnerability assessment.
Supported Actions and Example Prompts
The following table lists the supported actions and prompt examples for an action:
Action Name | Description | Example Prompt |
|---|---|---|
Get Offense Details | This action retrieves the details of an offense. For more information, see Action: Get Offense Details. | Get the details of the offense ID 705 using IBM QRadar. |
Get Offenses | This action retrieves the offenses that were triggered in QRadar. For more information, see Action: Get Offenses. | Get all the Offenses from IBM QRadar. |
Get Search Query Results | This action retrieves the search query results. For more information, see Action: Get Search Query Results. | Get the search query results of the ID c02c77a7-9908-434d-9de4-3ec6ad1049b1 using the IBM QRadar app. |
Search Indicators in Events | This action searches for indicators in QRadar events. For more information, see Action: Search Indicators in Events. | Search for the 1.1.1.1 indicator in the IBM QRadar app. |
Start New Search Using Ariel QL | This action starts a new search using the Ariel query language. For more information, see Action: Start New Search using Ariel QL. | Search select * from events in the IBM QRadar app. |
Install and Configure the App
Install and configure the required apps to enable Quarterback AI to perform various security-related tasks and provide relevant responses. After installing an app, you must create an instance that will be used to communicate with the app endpoints. An app can have multiple instances, and you can set a default instance from the configured instance list.
Before you Start
Ensure you have the API token to authenticate with the IBM QRadar app.
Steps
To install and configure an app, follow these steps:
Go to the application, in the left pane, select Quarterback AI.
In Apps, select IBM QRadar and click Install.
After the app is installed, click Configure and enter the following details to create an instance:
Instance Name: Enter a name for the instance.
Instance Description: Enter a description for the instance.
Expiry: Select an expiry date for the instance.
Set as default instance: Select this option to set this instance as the default instance. By default, this instance will be used to perform actions from this app.
Base URL: Enter the base URL to access IBM QRadar. For example, https://ibmqradardomain.com.
Username: Enter the username to access the QRadar application. Authentication requires either a username and password or an API token.
Password: Enter the password to access the QRadar application. Authentication requires either a username and password or an API token.
API Token: Enter the API token to access the QRadar application. Authentication requires either a username and password or an API token.
Verify: Select this option to verify SSL while making requests. It is recommended to select this option to ensure a secure connection. By default, this option is not selected.
Timeout: Enter the timeout value in seconds. This is the number of seconds that requests will wait to establish a connection with IBM QRadar. You can enter values between 15 - 120 seconds. By default, 15 seconds is set.
API Version: Enter the IBM QRadar API version. For example, 11.0. The default version supported is 11.0.
Click Done.
The instance is created, and you can view it in Instances. To create another instance, click Add Instance.
Action: Get Offense Details
This action retrieves the details of an offense structure that describes the properties of an offense.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Offense ID | Enter the offense ID. Example: 705 | Text | Required | |
Headers | Enter the headers. Example: Range: items 0-1 | Key Value | False | |
Filter | Enter the filters to get the details of offenses. | Key Value | False |
Example Request
[
{
"offense_id": "705"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each JSON object includes the details of one offense. |
| Integer | The ID of the offense. |
| String | The description of the offense. |
| String | The user the offense is assigned to. |
| Array of Strings | Event categories that are associated with the offense. |
| Integer | The number of event categories that are associated with the offense. |
| Integer | The number of policy event categories that are associated with the offense. |
| Integer | The number of security event categories that are associated with the offense. |
| Integer | The number of milliseconds since epoch when the offense was closed. |
| String | The user that closed the offense. |
| Integer | The ID of the offense closing reason. The reason the offense was closed. |
| Integer | The credibility of the offense. |
| Integer | The relevance of the offense. |
| Integer | The severity of the offense. |
| Integer | The magnitude of the offense. |
| Array of Strings | The destination networks that are associated with the offense. |
| String | The source network that is associated with the offense. |
| Integer | The number of devices that are associated with the offense. |
| Integer | The number of events that are associated with the offense. |
| Integer | The number of flows that are associated with the offense. |
| Boolean | True if the offense is inactive. |
| Integer | The number of milliseconds since epoch when the last event contributing to the offense was seen. |
| Integer | The number of local destinations that are associated with the offense. |
| String | The source of the offense. |
| Integer | A number that represents the offense type. |
| Boolean | True if the offense is protected. |
| Boolean | True if the offense is marked for follow up. |
| Integer | The number of remote destinations that are associated with the offense. |
| Integer | The number of sources that are associated with the offense. |
| Integer | The number of milliseconds since epoch when the offense was started. |
| String | The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED". |
| Integer | The number of usernames that are associated with the offense. |
| Array of Integers | The source address IDs that are associated with the offense. |
| Array of Integers | The local destination address IDs that are associated with the offense. |
| Integer | Optional. ID of associated domain if the offense is associated with a single domain. |
| Integer | The number of milliseconds since epoch when an offense field was last updated. |
| Integer | The number of milliseconds since epoch at the time when the offense was created. |
| Array | An array of rules that contributed to the offense. |
| Long Integer | The id of the rule. |
| String | The type of rule. One of "ADE_RULE", "BUILDING_BLOCK_RULE", or "CRE_RULE". |
| Array | An array of log sources contributed to the offense. |
| Long Integer | The id of the log source. |
| String | The name of the log source. |
| Long Integer | The id of the log source type. |
| String | The name of the log source type. |
Action: Get Offenses
This action retrieves a list of offenses that were triggered in QRadar.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Extra Filter Params | Enter additional parameters to filter the responses. For time-based filtering, use EPOCH Time in milliseconds format. | Key value | Optional | Allowed values: id, description, assigned_to, categories, category_count, close_time, credibility, severity, magnitude, event_count, flow_count, policy_category_count, security_category_count, closing_time, closing_reason_id, relevance, destination_network, source_network, device_count, inactive, last_updated_time, offense_source, offense_type, protected, follow_up, source_count, start_time, status, username_count, domain_id, rules: {id, type} |
Headers | Enter headers in the form of key-value pairs to get a paginated response. Example: Range: items=0-2 | Key value | Optional |
Example Request
[
{
"headers":
{
"Range":"items=0-2"
},
“filter”:
{
“id”: “10”,
“flow_count“: “42“,
“event_count“: “25“,
“follow_up”: “true”,
“magnitude”: “42”,
“protected”: “true”
}
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| Array of JSON Objects | Includes the response received from the app action. Each JSON object includes the details of one offense. |
| Integer | The ID of the offense. |
| String | The description of the offense. |
| String | The user the offense is assigned to. |
| Array of Strings | Event categories that are associated with the offense. |
| Integer | The number of event categories that are associated with the offense. |
| Integer | The number of policy event categories that are associated with the offense. |
| Integer | The number of security event categories that are associated with the offense. |
| Integer | The number of milliseconds since epoch when the offense was closed. |
| String | The user that closed the offense. |
| Integer | The ID of the offense closing reason. The reason the offense was closed. |
| Integer | The credibility of the offense. |
| Integer | The relevance of the offense. |
| Integer | The severity of the offense. |
| Integer | The magnitude of the offense. |
| Array of Strings | The destination networks that are associated with the offense. |
| String | The source network that is associated with the offense. |
| Integer | The number of devices that are associated with the offense. |
| Integer | The number of events that are associated with the offense. |
| Integer | The number of flows that are associated with the offense. |
| Boolean | True if the offense is inactive. |
| Integer | The number of milliseconds since epoch when the last event contributing to the offense was seen. |
| Integer | The number of local destinations that are associated with the offense. |
| String | The source of the offense. |
| Integer | A number that represents the offense type. |
| Boolean | True if the offense is protected. |
| Boolean | True if the offense is marked for follow up. |
| Integer | The number of remote destinations that are associated with the offense. |
| Integer | The number of sources that are associated with the offense. |
| Integer | The number of milliseconds since epoch when the offense was started. |
| String | The status of the offense. One of "OPEN", "HIDDEN", or "CLOSED". |
| Integer | The number of usernames that are associated with the offense. |
| Array of Integers | The source address IDs that are associated with the offense. |
| Array of Integers | The local destination address IDs that are associated with the offense. |
| Integer | Optional. ID of associated domain if the offense is associated with a single domain. |
| Integer | The number of milliseconds since epoch when an offense field was last updated. |
| Integer | The number of milliseconds since epoch at the time when the offense was created. |
| Array | An array of rules that contributed to the offense. |
| Long Integer | The id of the rule. |
| String | The type of rule. One of "ADE_RULE", "BUILDING_BLOCK_RULE", or "CRE_RULE". |
| Array | An array of log sources contributed to the offense. |
| Long Integer | The id of the log source. |
| String | The name of the log source. |
| Long Integer | The id of the log source type. |
| String | The name of the log source type. |
Action: Get Search Query Results
This action retrieves the search query results.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Search ID | Enter the search ID. Example: c02c77a7-9908-434d-9de4-3ec6ad1049b1 | Text | Required |
Example Request
[
{
"search_id": "c02c77a7-9908-434d-9de4-3ec6ad1049b1"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Array of JSON Objects | The search results for the specified search ID. |
Action: Search Indicators in Events
This action searches for indicators in QRadar events.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
IP | Enter one or more IP addresses in a list. Example: $LIST['1.1.1.1'] | List | Optional | |
Username | Enter one or more usernames in a list. Example: $LIST['john'] | List | Optional | |
URL | Enter one or more URLs in a list. Example: $LIST[‘https://www.sampledomain.com'] | List | Optional | |
MD5 Hash | Enter one or more MD5 hash values in a list. Example: $LIST['d41d8cd98f00b204e9800998ecf8427e'] | List | Optional | |
SHA-256 Hash | Enter one or more SHA256 hash values in a list. Example: $LIST['e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'] | List | Optional | |
SHA-1 Hash | Enter one or more SHA1 hash values in a list. Example: $LIST['2aae6c35c94fcfb415dbe95f408b9ce91ee846ed'] | List | Optional | |
Search String | Enter the query string to search for indicators in the event name and description. Example: ['exampleevent'] | List | Optional |
Example Request
[
{
"ip": [
"1.1.1.1"
],
"url": "[https://www.sampledomain.com]",
"username": "[JohnDoe]"
}
]Action Response Parameters
Parameter | Type | Description |
|---|---|---|
{app_instance} | JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
app_instance.response | JSON Object | Includes the response received from the app action. Each key within this object represents a specific aspect of the response. |
app_instance.response.completed | Boolean | Indicates whether the process is completed or not. Example: true |
app_instance.response.compressed_data_file_count | Integer | The number of compressed data files. Example: 5 |
app_instance.response.compressed_data_total_size | Long | The total size of compressed data files in bytes. Example: 10485760 |
app_instance.response.cursor_id | String | The ID of the cursor for tracking the query results. Example: "abc123" |
app_instance.response.data_file_count | Integer | The number of data files. Example: 3 |
app_instance.response.data_total_size | Long | The total size of data files in bytes. Example: 20485760 |
app_instance.response.desired_retention_time_msec | Long | The desired retention time in milliseconds. Example: 86400000 |
app_instance.response.index_file_count | Integer | The number of index files. Example: 1 |
app_instance.response.index_total_size | Long | The total size of index files in bytes. Example: 102400 |
app_instance.response.processed_record_count | Integer | The number of records that have been processed. Example: 5000 |
app_instance.response.progress | Integer | The progress of the query, represented as a percentage. Example: 75 |
app_instance.response.progress_details | Array | Detailed information about the progress, typically an empty array if not provided. |
app_instance.response.query_execution_time | Long | The time taken to execute the query in milliseconds. Example: 2500 |
app_instance.response.query_string | String | The SQL query string used to retrieve the data. Example: "SELECT * FROM table_name" |
app_instance.response.record_count | Integer | The total number of records returned by the query. Example: 10000 |
app_instance.response.save_results | Boolean | Indicates whether the results are saved. Example: true |
app_instance.response.search_id | String | The unique identifier for the search operation. Example: "search123" |
app_instance.response.size_on_disk | Long | The size of the data on disk in bytes. Example: 409600 |
app_instance.response.status | String | The current status of the query, e.g., 'WAIT', 'RUNNING', 'COMPLETED'. Example: "COMPLETED" |
app_instance.response.subsearch_ids | Array | An array of subsearch IDs associated with the main search. Example: ["subsearch1", "subsearch2"] |
Action: Start New Search using Ariel QL
This action starts a new search using Ariel QL. This creates a new Ariel search as specified by the Ariel Query Language (AQL) query expression. Searches are executed asynchronously. A reference to the search ID is returned and should be used in subsequent API calls to determine the search status and retrieve the results after completion.
Queries are applied to the range of data in a certain time interval. By default, this time interval is the last 60 seconds.
Action Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Query Expression | Enter the Ariel QL expression to search. Example: select * from events | Text | Required |
Example Request
[
{
"query_expression": "select * from events"
}
]Action Response Parameters
Parameter | Field Type | Description |
|---|---|---|
| JSON Object | This parameter indicates the ID of the app instance configured in Orchestrate from which the response is retrieved. |
| JSON Object | Includes the response received from the app action. |
| Integer | Status of the newly created search. One of WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, and ERROR. |
| String | ID of the newly created search. |
| String | The cursor ID. |
| Array of JSON Objects | List of error messages. |
| Integer | Progress of the search. |
| Array | Details of the search progress. |
| Integer | Execution time of the search query. |
| String | Query string of the search. |
| Integer | Number of records. |
| Boolean | True if the search if saved. |
| Array | List of sub-searches. |
| Integer | Total data size. |