IBM QRadar

IBM® QRadar® Security Information and Event Management (SIEM) helps security teams accurately detect and prioritize threats across the enterprise, and it provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents.

Integration with LogicHub

Connecting with QRadar

To connect to QRadar following details are required:

  • Label: Connection name.
  • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
  • URL: URL to your IBM QRadar instance
  • Authentication Token: Authentication Token for IBM QRadar

Actions with QRadar

Get Offenses

Get offenses from QRadar

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Start Time (Optional): Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000
  • End Time(Optional): End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000
  • Jinja Template for Filter(Optional): Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}
  • Fields (Optional): Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.
  • Range (Optional): Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.
  • Sort(Optional): Condition for sorting (default is empty value) Example: +field_one,-object(sub_field)

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: List of offenses

Get Offense By ID

Get offense from QRadar with the given ID.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • ID: Column name from parent table containing offense ID
  • Fields (Optional): Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Output of Action
JSON containing following items:

  • has_error: True/False
  • error: message/null
  • result: Offense object

Update Offense

Update offense in QRadar.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Offense ID: Column name from parent table containing Offense ID.
  • Assigned To User Column (Optional): Column name from parent table containing a user to assign the offense to (Default is Empty value).
  • Closing Reason ID (Optional): Column name from parent table containing the ID of a closing reason (Default is 0 as ID). You must provide a valid closing_reason_id when you close an offense.
  • Status (Optional): Column name from parent table containing the new status of offense (Default is Empty value). Set to one of OPEN, HIDDEN, CLOSED. When the status of an offense is being set to CLOSED, a valid closing_reason_id must be provided. To hide an offense, use the HIDDEN status. To show a previously hidden offense, use the OPEN status.
  • Fields (Optional): Comma-separated fields (Default is Empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Updated Offense object.

Get Assets

Get assets from QRadar.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Start Time (Optional): Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000.
  • End Time (Optional): End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000.
  • Jinja Template for Filter(Optional): Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}.
  • Fields(Optional): Comma-separated fields (default is Empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: List of assets

Update Asset

Update Asset by ID from QRadar.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Asset ID: Column name from parent table containing Asset ID.
  • Asset Body: Column name from parent table containing the JSON representation of an asset.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Asset object

Execute Search

Execute search in QRadar and retrieve results.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Start Time (Optional): Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000.
  • End Time(Optional): End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000.
  • Jinja Template for Templated Query Expression: Provide jinja-templated query expressions AQL(Ariel Query Language) Example: select * from events where eventcount>{{eventcount_column}}.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Search result

Get Offense Notes

Get offense notes from QRadar.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Offense ID: Column name from parent table containing offense ID.
  • Start Time (Optional): Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000.
  • End Time(Optional): End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000.
  • Jinja Template for Filter (Optional): Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}.
  • Fields(Optional): Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.
  • Range (Optional): Range (default is empty value) Example: items=0-5.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: List of offence notes

Create Offense Note

Create offense note in QRadar.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Offense ID: Column name from parent table containing offense ID.
  • Note Text Column: Column name from parent table containing note text.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Offence note object

List Analytics Rules

Retrieves a list of analytics rules.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Start Time (Optional): Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000.
  • End Time (Optional): End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000.
  • Jinja Template for Filter (Optional): Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}.
  • Fields (Optional): Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.
  • Range (Optional): Range (default is empty value). Example: items=0-5.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: List of analytics rules.

Get Analytics Rules By ID

Retrieves an analytics rule by ID.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Rule ID: Column name from parent table containing rule ID.
  • Fields: Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Analytics rule object

List Map Of Sets (Reference Data)

Retrieve a list of all reference map of sets.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Start Time (Optional): Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000.
  • End Time (Optional): End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000.
  • Jinja Template for Filter (Optional): Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}.
  • Fields(Optional): Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.
  • Range (Optional): Range (Default is Empty value) Example: items=0-5.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: List of map of sets.

Get Map Of Sets (Reference Data) by Name

Retrieves a map of sets by name.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference map of sets to retrieve.
  • Fields (Optional): Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Map of sets object

Create Map Of Sets (Reference Data)

Create a new reference map of sets.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference map of sets to create.
  • Key Label: Column name from parent table containing the label to describe the keys.
  • Value Label: Column name from parent table containing the label to describe the data values.
  • Element Type (Optional): Select the element type for the values allowed in the reference map of sets (Default is ALN (alphanumeric)) Note that date values need to be represented in milliseconds since the Unix Epoch 01 January 1970.
  • Timeout Type (Optional): Select timeout type (Default is UNKNOWN), This indicates if the time_to_live interval is based on when the data was first seen or last seen.
  • Time To Live (Optional): The time to live interval, for example: "1 month" or "5 minutes".

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Map of sets object.

Update Map Of Sets (Reference Data)

Add or update an element in a reference map of sets.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference map of sets to add or update an element in.
  • Key: Column name from parent table containing the key of the set to add or update.
  • Value: Column name from parent table containing the value to add or update in the reference map of sets.
  • Source (Optional): Column name from parent table containing the source that indicates where the data originated (Default is "reference data api").

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Map of sets object.

Delete Map Of Sets (Reference Data)

Removes a map of sets.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference map of sets to remove.
  • Purge Only (Optional): Select purge behavior (Default is FALSE), This indicates if the reference map of sets should have its contents purged (TRUE), keeping the structure of the object.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message

List Map (Reference Data)

Retrieve a list of all reference map.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Start Time (Optional): Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000.
  • End Time (Optional): End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000.
  • Jinja Template for Filter (Optional): Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}.
  • Fields (Optional): Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.
  • Range (Optional): Range (default is empty value). Example: items=0-5.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: List of maps.

Get Map (Reference Data) by Name

Retrieves a map identified by name.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference map to retrieve.
  • Fields (Optional): Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Map object

Create Map (Reference Data)

Create a new reference map.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference map to create.
  • Key Label: Column name from parent table containing the label to describe the keys.
  • Value Label: Column name from parent table containing the label to describe the data values.
  • Element Type (Optional): Select the element type for the values allowed in the reference map of sets (Default is ALN (alphanumeric)) Note that date values need to be represented in milliseconds since the Unix Epoch 01 January 1970.
  • Timeout Type (Optional): Select timeout type (default is UNKNOWN), This indicates if the time_to_live interval is based on when the data was first seen or last seen.
  • Time To Live (Optional): The time to live interval, for example: "1 month" or "5 minutes".

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Map object

Update Map (Reference Data)

Add or update an element in a reference map.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference map to add or update an element in.
  • Key: Column name from parent table containing the key of the set to add or update.
  • Value: Column name from parent table containing the value to add or update in the reference map.
  • Source (Optional): Column name from parent table containing the source that indicates where the data originated (Default is "reference data api").

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Map object

Delete Map (Reference Data)

Removes a map.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference map to remove.
  • Purge Only (Optional): Select purge behavior (default is FALSE), This indicates if the reference map of sets should have its contents purged (TRUE), keeping the structure of the object.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message

List Sets (Reference Data)

Retrieve a list of all reference sets.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Start Time (Optional): Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000.
  • End Time (Optional): End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000.
  • Jinja Template for Filter (Optional): Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}.
  • Fields(Optional): Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.
  • Range (Optional): Range (default is empty value). Example: items=0-5.

Output of Action
json containing the following items:

  • has_error: True/False
  • error: message/null
  • result: List of sets

Get Set (Reference Data) by Name

Retrieve the reference set identified by name.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference set to retrieve.
  • Fields (Optional): Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Set object

Create Set (Reference Data)

Create a new reference set.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference set being created.
  • Value Label: Column name from parent table containing the label to describe the data values.
  • Element Type (Optional): Select the element type for the values allowed in the reference map of sets (Default is ALN (alphanumeric)) Note that date values need to be represented in milliseconds since the Unix Epoch 01 January 1970.
  • Timeout Type (Optional): Select timeout type (Default is UNKNOWN), This indicates if the time_to_live interval is based on when the data was first seen or last seen.
  • Time To Live (Optional): The time to live interval, for example: "1 month" or "5 minutes".

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Set object

Update Set (Reference Data)

Add or update an element in a reference set.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference set to add or update an element in.
  • Value: Column name from parent table containing the value to add or update in the reference set.
  • Source (Optional): Column name from parent table containing the source that indicates where the data originated (Default is "reference data api").

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Set object

Delete Set (Reference Data)

Removes a set.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference set to remove.
  • Purge Only (Optional): Select purge behavior (Default is FALSE), This indicates if the reference map of sets should have its contents purged (TRUE), keeping the structure of the object.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message

List Tables (Reference Data)

Retrieve a list of all reference tables.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Start Time (Optional): Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000.
  • End Time (Optional): End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000.
  • Jinja Template for Filter (Optional): Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}.
  • Fields (Optional): Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.
  • Range (Optional): Range (default is empty value) Example: items=0-5.

Output of Action
json containing the following items:

  • has_error: True/False
  • error: message/null
  • result: List of tables.

Get Set (Reference Data) by Name

Retrieve the reference table identified by name.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference table to retrieve.
  • Fields (Optional): Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Table object.

Create Table (Reference Data)

Create a new reference Table.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference set being created.
  • Outer Key Label: Column name from parent table containing the label to describe the data values.
  • Element Type (Optional): Select the element type for the values allowed in the reference map of sets (Default is ALN (alphanumeric)) Note that date values need to be represented in milliseconds since the Unix Epoch 01 January 1970.
  • Timeout Type (Optional): Select timeout type (Default is UNKNOWN), This indicates if the time_to_live interval is based on when the data was first seen or last seen.
  • Time To Live (Optional): The time to live interval, for example: "1 month" or "5 minutes".

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Table object

Update Table (Reference Data)

Add or update an element in a reference table.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference tables to add or update an element in.
  • Outer Key: Column name from parent table containing the outer key to add or update.
  • Inner Key: Column name from parent table containing the inner key to add or update.
  • Value: Column name from parent table containing the value to add or update in the reference table.
  • Source (Optional): Column name from parent table containing the source that indicates where the data originated (Default is "reference data api").

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Table object.

Delete Table (Reference Data)

Removes a table.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Name: Column name from parent table containing the name of the reference table to remove.
  • Purge Only (Optional): Select purge behavior (default is FALSE), This indicates if the reference map of sets should have its contents purged (TRUE), keeping the structure of the object.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Success/Failure message.

List Mappings (MITRE Information)

Returns all MITRE attack rule mappings in QRadar use case manager.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Use Case Manager ID: Column name from parent table containing the use case manager plugin ID.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: List of mappings.

Get Mappings (MITRE Information) By Rule ID

Returns the rule mappings in QRadar use case manager.

Inputs to this action

  • Connection: Choose a connection that you have created.
  • Use Case Manager ID: Column name from parent table containing the use case manager plugin ID.
  • Rule ID: Column name from parent table containing the rule ID.
  • Tactic Name (Optional): Column name from parent table containing the tactic name.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Mapping object.

Update Map Bulk (Reference Data)

Adds or updates data in a reference map in one go, this action works across entire table.

Inputs to this action

  • Connection: Choose a connection that you have created.
  • Name: Name of the reference map to add or update an element in.
  • Key: Column name from parent table containing the key to add or update in the reference map.
  • Value: Column name from parent table containing the value to add or update in the reference map.
  • Fields (Optional): Comma-separated fields (Default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one, second_one.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • result: Mapping object.
{
  "has_error":false,
  "result":{"name":"S7","timeout_type":"UNKNOWN","creation_time":1593115291310,"time_to_live":"0 years 0 mons 0 days 0 hours 1 mins 0.00 secs","element_type":"ALN","number_of_elements":8},
  "error":null
}

Did this page help you?