IBM QRadar
Version: 2.0.0
IBM® QRadar® Security Information and Event Management (SIEM) helps security teams accurately detect and prioritize threats across the enterprise, and it provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents.
Connect QRadar with LogicHub
- Navigate to Automations > Integrations.
- Search for IBM QRadar.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- URL: URL to your IBM QRadar instance.
- Authentication Token: Authentication Token for IBM QRadar.
- After you've entered all the details, click Connect.
Actions for QRadar
Get Offenses
Get offenses from QRadar
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Start Time | Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000 | Optional |
| End Time | End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000 | Optional |
| Jinja Template for Filter | Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}} | Optional |
| Fields | Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four. | Optional |
| Range | Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero. | Optional |
| Sort | Condition for sorting (default is empty value) Example: +field_one,-object(sub_field). | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of offenses
Get Offense By ID
Get offense from QRadar with the given ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| ID | Column name from parent table containing offense ID | Required |
| Fields | Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Offense object
Update Offense
Update offense in QRadar.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Offense ID | Column name from parent table containing Offense ID. | Required |
| Assigned To User Column | Column name from parent table containing a user to assign the offense to (Default is Empty value). | Required |
| Closing Reason ID | Column name from parent table containing the ID of a closing reason (Default is 0 as ID). You must provide a valid closing_reason_id when you close an offense. | Optional |
| Status | Column name from parent table containing the new status of offense (Default is Empty value). Set to one of OPEN, HIDDEN, CLOSED. When the status of an offense is being set to CLOSED, a valid closing_reason_id must be provided. To hide an offense, use the HIDDEN status. To show a previously hidden offense, use the OPEN status. | Optional |
| Fields | Comma-separated fields (Default is Empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Updated Offense object.
Get Assets
Get assets from QRadar.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Start Time | Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000. | Optional |
| End Time | End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000. | Optional |
| Jinja Template for Filter | Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}. | Optional |
| Fields | Comma-separated fields (default is Empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of assets
Update Asset
Update Asset by ID from QRadar.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Asset ID | Column name from parent table containing Asset ID. | Required |
| Asset Body | Column name from parent table containing the JSON representation of an asset. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Asset object
Execute Search
Execute search in QRadar and retrieve results.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Start Time | Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000. | |
| End Time | End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000. | |
| Jinja Template for Templated Query Expression | Provide jinja-templated query expressions AQL(Ariel Query Language) Example: select * from events where eventcount>{{eventcount_column}}. |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Search result
Get Offense Notes
Get offense notes from QRadar.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Offense ID | Column name from parent table containing offense ID. | Required |
| Start Time | Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000. | Optional |
| End Time | End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000. | Optional |
| Jinja Template for Filter | Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}. | Optional |
| Fields | Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four. | Optional |
| Range | Range (default is empty value) Example: items=0-5. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of offence notes
Create Offense Note
Create offense note in QRadar.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Offense ID | Column name from parent table containing offense ID. | Required |
| Note Text Column | Column name from parent table containing note text. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Offence note object
List Analytics Rules
Retrieves a list of analytics rules.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Start Time | Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000. | Optional |
| End Time | End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000. | Optional |
| Jinja Template for Filter | Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}. | Optional |
| Fields | Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four. | Optional |
| Range | Range (default is empty value). Example: items=0-5. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of analytics rules.
Get Analytics Rules By ID
Retrieves an analytics rule by ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Rule ID | Column name from parent table containing rule ID. | Required |
| Fields | Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Analytics rule object
List Map Of Sets (Reference Data)
Retrieve a list of all reference map of sets.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Start Time | Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000. | Optional |
| End Time | End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000. | Optional |
| Jinja Template for Filter | Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}. | Optional |
| Fields | Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four. | Optional |
| Range | Range (Default is Empty value) Example: items=0-5. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of map of sets.
Get Map Of Sets (Reference Data) by Name
Retrieves a map of sets by name.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference map of sets to retrieve. | Required |
| Fields | Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Map of sets object
Create Map Of Sets (Reference Data)
Create a new reference map of sets.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference map of sets to create. | Required |
| Key Label | Column name from parent table containing the label to describe the keys. | Required |
| Value Label | Column name from parent table containing the label to describe the data values. | Required |
| Element Type | Select the element type for the values allowed in the reference map of sets (Default is ALN (alphanumeric)) Note that date values need to be represented in milliseconds since the Unix Epoch 01 January 1970. | Optional |
| Timeout Type | Select timeout type (Default is UNKNOWN), This indicates if the time_to_live interval is based on when the data was first seen or last seen. | Optional |
| Time To Live | The time to live interval, for example: "1 month" or "5 minutes". | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Map of sets object.
Update Map Of Sets (Reference Data)
Add or update an element in a reference map of sets.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference map of sets to add or update an element in. | Required |
| Key | Column name from parent table containing the key of the set to add or update. | Required |
| Value | Column name from parent table containing the value to add or update in the reference map of sets. | Required |
| Source | Column name from parent table containing the source that indicates where the data originated (Default is "reference data api"). | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Map of sets object.
Delete Map Of Sets (Reference Data)
Removes a map of sets.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference map of sets to remove. | Required |
| Purge Only | Select purge behavior (Default is FALSE), This indicates if the reference map of sets should have its contents purged (TRUE), keeping the structure of the object. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Success/Failure message
List Map (Reference Data)
Retrieve a list of all reference map.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Start Time | Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000. | Optional |
| End Time | End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000. | Optional |
| Jinja Template for Filter | Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}. | Optional |
| Fields | Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four. | Optional |
| Range | Range (default is empty value). Example: items=0-5. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of maps.
Get Map (Reference Data) by Name
Retrieves a map identified by name.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference map to retrieve. | Required |
| Fields | Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Map object
Create Map (Reference Data)
Create a new reference map.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference map to create. | Required |
| Key Label | Column name from parent table containing the label to describe the keys. | Required |
| Value Label | Column name from parent table containing the label to describe the data values. | Required |
| Element Type | Select the element type for the values allowed in the reference map of sets (Default is ALN (alphanumeric)) Note that date values need to be represented in milliseconds since the Unix Epoch 01 January 1970. | Optional |
| Timeout Type | Select timeout type (default is UNKNOWN), This indicates if the time_to_live interval is based on when the data was first seen or last seen. | Optional |
| Time To Live | The time to live interval, for example: "1 month" or "5 minutes". | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Map object
Update Map (Reference Data)
Add or update an element in a reference map.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference map to add or update an element in. | Required |
| Key | Column name from parent table containing the key of the set to add or update. | Required |
| Value | Column name from parent table containing the value to add or update in the reference map. | Required |
| Source | Column name from parent table containing the source that indicates where the data originated (Default is "reference data api"). | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Map object
Delete Map (Reference Data)
Removes a map.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference map to remove. | Required |
| Purge Only | Select purge behavior (default is FALSE), This indicates if the reference map of sets should have its contents purged (TRUE), keeping the structure of the object. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Success/Failure message
List Sets (Reference Data)
Retrieve a list of all reference sets.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Start Time | Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000. | Optional |
| End Time | End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000. | Optional |
| Jinja Template for Filter | Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}. | Optional |
| Fields | Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four. | Optional |
| Range | Range (default is empty value). Example: items=0-5. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of sets
Get Set (Reference Data) by Name
Retrieve the reference set identified by name.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference set to retrieve. | Required |
| Fields | Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Set object
Create Set (Reference Data)
Create a new reference set.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference set being created. | Required |
| Value Label | Column name from parent table containing the label to describe the data values. | Required |
| Element Type | Select the element type for the values allowed in the reference map of sets (Default is ALN (alphanumeric)) Note that date values need to be represented in milliseconds since the Unix Epoch 01 January 1970. | Optional |
| Timeout Type | Select timeout type (Default is UNKNOWN), This indicates if the time_to_live interval is based on when the data was first seen or last seen. | Optional |
| Time To Live | The time to live interval, for example: "1 month" or "5 minutes". | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Set object
Update Set (Reference Data)
Add or update an element in a reference set.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference set to add or update an element in. | Required |
| Value | Column name from parent table containing the value to add or update in the reference set. | Required |
| Source | Column name from parent table containing the source that indicates where the data originated (Default is "reference data api"). | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Set object
Delete Set (Reference Data)
Removes a set.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference set to remove. | Required |
| Purge Only | Select purge behavior (Default is FALSE), This indicates if the reference map of sets should have its contents purged (TRUE), keeping the structure of the object. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Success/Failure message
List Tables (Reference Data)
Retrieve a list of all reference tables.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Start Time | Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000. | Optional |
| End Time | End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000. | Optional |
| Jinja Template for Filter | Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}. | Optional |
| Fields | Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four. | Optional |
| Range | Range (default is empty value) Example: items=0-5. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of tables.
Get Set (Reference Data) by Name
Retrieve the reference table identified by name.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference table to retrieve. | Required |
| Fields | Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Table object.
Create Table (Reference Data)
Create a new reference Table.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference set being created. | Required |
| Outer Key Label | Column name from parent table containing the label to describe the data values. | Required |
| Element Type | Select the element type for the values allowed in the reference map of sets (Default is ALN (alphanumeric)) Note that date values need to be represented in milliseconds since the Unix Epoch 01 January 1970. | Optional |
| Timeout Type | Select timeout type (Default is UNKNOWN), This indicates if the time_to_live interval is based on when the data was first seen or last seen. | Optional |
| Time To Live | The time to live interval, for example: "1 month" or "5 minutes". | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Table object
Update Table (Reference Data)
Add or update an element in a reference table.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference tables to add or update an element in. | Required |
| Outer Key | Column name from parent table containing the outer key to add or update. | Required |
| Inner Key | Column name from parent table containing the inner key to add or update. | Required |
| Value | Column name from parent table containing the value to add or update in the reference table. | Required |
| Source | Column name from parent table containing the source that indicates where the data originated (Default is "reference data api"). | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Table object.
Delete Table (Reference Data)
Removes a table.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Column name from parent table containing the name of the reference table to remove. | Required |
| Purge Only | Select purge behavior (default is FALSE), This indicates if the reference map of sets should have its contents purged (TRUE), keeping the structure of the object. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Success/Failure message.
List Mappings (MITRE Information)
Returns all MITRE attack rule mappings in QRadar use case manager.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Use Case Manager ID | Column name from parent table containing the use case manager plugin ID. | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: List of mappings.
Get Mappings (MITRE Information) By Rule ID
Returns the rule mappings in QRadar use case manager.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Use Case Manager ID | Column name from parent table containing the use case manager plugin ID. | Required |
| Rule ID | Column name from parent table containing the rule ID. | Required |
| Tactic Name | Column name from parent table containing the tactic name. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Mapping object.
Update Map Bulk (Reference Data)
Adds or updates data in a reference map in one go, this action works across entire table.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Name | Name of the reference map to add or update an element in. | Required |
| Key | Column name from parent table containing the key to add or update in the reference map. | Required |
| Value | Column name from parent table containing the value to add or update in the reference map. | Required |
| Fields | Comma-separated fields (Default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one, second_one. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- result: Mapping object.
{
"has_error":false,
"result":{"name":"S7","timeout_type":"UNKNOWN","creation_time":1593115291310,"time_to_live":"0 years 0 mons 0 days 0 hours 1 mins 0.00 secs","element_type":"ALN","number_of_elements":8},
"error":null
}
Get Offenses By Source Address
Retrieve a list of offense source addresses currently in the system.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Filter | Jinja-template containing filter condition. This parameter is used to restrict the elements in a list base on the contents of various fields. (Default is Empty value). | Required |
| Fields | Jinja-template containing comma-separated fields. Specify subfields in brackets and multiple fields in the same object are separated by commas (Default is empty value). Example: field_one, second_one. | Required |
| Range | Provide the range. Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero (Default is Empty value) e.g. items=0-5. | Required |
Output
A JSON object containing multiple rows of result:
[
{
"last_event_flow_seen":1631175930971,
"network":"other",
"source_ip":"104.16.21.35",
"first_event_flow_seen":1544298346852,
"domain_id":0,
"magnitude":0,
"offense_ids":[
40
],
"local_destination_address_ids":[
3
],
"id":6,
"event_flow_count":43457
}
]
Get Offenses By Local Destination Address
Retrieve a list offense local destination addresses currently in the system.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Filter | Jinja-template text containing filter condition. This parameter is used to restrict the elements in a list base on the contents of various fields. (Default is Empty value). | Required |
| Fields | Jinja-template text containing comma-separated fields. Specify subfields in brackets and multiple fields in the same object are separated by commas(Default is empty value). Example: field_one, second_one. | Required |
| Range | Provide the range. Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero (Default is Empty value) e.g. items=0-5. | Required |
Output
A JSON object containing multiple rows of result:
[
{
"last_event_flow_seen":1631172764005,
"network":"Net-10-172-192.Net_172_16_0_0",
"first_event_flow_seen":1544294554145,
"domain_id":0,
"magnitude":0,
"local_destination_ip":"172.19.144.104",
"source_address_ids":[
6
],
"offense_ids":[
40
],
"id":3,
"event_flow_count":308226
}
]
Get Domains
Retrieves the list of all domains, active and deleted (including the default domain).
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Filter | Jinja-template text containing filter condition. This parameter is used to restrict the elements in a list base on the contents of various fields. (Default is Empty value). | Required |
| Fields | [Jinja-template] (doc:jinja-template) text containing comma-separated fields. Specify subfields in brackets and multiple fields in the same object are separated by commas(Default is empty value). Example: field_one, second_one. | Required |
| Range | Provide the range. Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero (Default is Empty value) e.g. items=0-5. | Required |
Output
A JSON object containing multiple rows of result:
[
{
"event_collector_ids":[
],
"description":"",
"log_source_group_ids":[
],
"deleted":false,
"asset_scanner_ids":[
],
"custom_properties":[
],
"id":0,
"flow_collector_ids":[
],
"tenant_id":0,
"log_source_ids":[
],
"flow_source_ids":[
],
"qvm_scanner_ids":[
],
"name":""
}
]
Get Log Source Type by ID
Retrieves the Log Source Type by ID
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| ID | Jinja-templated text containing the Log Source Type ID. Example: {{log_source_type_id}}. | |
| Fields | Jinja-templates text containing comma-separated fields. Specify subfields in brackets and multiple fields in the same object are separated by commas (Default is empty value). Example: field_one, {{second_one}}. |
Output
A JSON object containing the Log Source.
{
"custom": true,
"default_protocol_id": 42,
"id": 42,
"internal": true,
"log_source_extension_id": 42,
"name": "String",
"protocol_types": [
{
"documented": true,
"protocol_id": 42
}
],
"supported_language_ids": [
42
],
"version": "String"
}
Get Offense Type by ID
Retrieves the Offense Type by ID
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| ID | Jinja-templated text containing the Offense Type ID. Example: {{ibm_qradar_offense_type_id}} | Required |
| Fields | Jinja-templated text containing comma-separated fields. Specify subfields in brackets and multiple fields in the same object are separated by commas (Default is empty value). Example: field_one, {{second_one}}. | Optional |
Output
A JSON object containing multiple rows of result:
{
"custom": true,
"database_type": "String",
"id": ,
"name": "String",
"property_name": "String"
}
Release Notes
v2.0.0- Updated architecture to support IO via filesystemv1.7.3- Revert the bug fix ofv1.7.2.v1.7.2- Bug fix: Considering time filter inExecute Searchaction.
Updated about 1 year ago