qradar
IBM QRadar search event using APIs
I wanted to know if it is possible to search for an Event using IBM QRadar APIs. please find the screenshot below as an example.
in the above, image when we hit the search button, we will get over events which contain text in the text bar. I want to do the same thing with the help of API. please help.
Solution
I found the answer to my question-
to fetch the payload or Event information via QRadar APIs first use the search API to get the search ID
curl --location --request POST 'https://qradar-2.as.local/api/ariel/searches?query_expression=select%20payload%20from%20events%20WHERE%20UTF8%28payload%29%20ILIKE%20%27%25xyz-xyzzyx-07.xy.as.local-51995-596966-1%25%27%20START%20%272020-08-21%2004%3A00%27%20STOP%20%272020-08-21%2006%3A00%27%20' \
--header 'Version: 12.0' \
--header 'Accept: application/json' \
--header 'SEC: {{your token here}}' \
--header 'Cookie: JSESSIONID=F988AE8612EDF61A67249876B783CEA7'
then use this search ID in the API below
curl --location --request GET 'https://qradar-2.as.local/api/ariel/searches/{{search_id}}/results' \
--header 'Range: items=0-49' \
--header 'Version: 12.0' \
--header 'Accept: application/json' \
--header 'SEC: {{your token here}}' \
--header 'Cookie: JSESSIONID=E6568B30B3615UUIUD5672AB56578F9E66'
now the response of this API will be base64 encoded so you visit any site to decode. eg. https://www.base64decode.org/
hope this will help people
- If a log is sent to Qradar such as syslog, the log can be forwarded to a python script?
- Syslog-ng service error on restart - syslog forward to Qradar
- IBM QRadar search event using APIs
- Extract the Source IP Address from two different log samples with regex
- Multiline Log Reading from Log file
- QRAdar - AQL no viable alternative at input SELECT
- Range Header Must Use Appropriate Property or Method