QRadar API

Examples of QRadar API using Python and PowerShell (PowerShell Core as I needed to use the SkipCertificateCheck switch for our test environment).

All examples are utilized with IBM QRadar Community Edition running on CentOS Minimal

• Ariel
  • searches
    • Pass AQL
  • List Databases
• Offenses
  • List
    • QRadar_List_Offenses.py
    • QRadar_List_Offenses.ps1
• Reference Data

  • Reference Sets (The only reference collection you can manage in the web console)

    • Create
      • QRadar_Create_ReferenceSet.py
      • QRadar_Create_ReferenceSet.ps1
    • Add
      • QRadar_Add_ReferenceSet.py
      • QRadar_Add_ReferenceSet.ps1
      • QRadar_Add_Bulk_ReferenceSet.py
      • QRadar_Add_Bulk_ReferenceSet.ps1
      • QRadar_Add_Bulk_File_ReferenceSet.ps1
    • List
      • QRadar_List_ReferenceSet.py
      • QRadar_List_ReferenceSet.ps1

  • Reference Maps

    • Create
      • QRadar_Create_ReferenceMap.py
      • QRadar_Create_ReferenceMap.ps1
    • Add
      • QRadar_Add_ReferenceMap.py
      • QRadar_Add_ReferenceMap.ps1
      • QRadar_Add_Bulk_ReferenceMap.py
      • QRadar_Add_Bulk_ReferenceMap.ps1
    • List
      • QRadar_List_ReferenceMap.py
      • QRadar_List_ReferenceMap.ps1

  • Reference Map of Sets

    • Create
      • QRadar_Create_ReferenceMapOfSets.py
    • Add
      • QRadar_Add_ReferenceMapOfSets.py
      • QRadar_Add_Bulk_ReferenceMapOfSets.py
    • List
      • QRadar_List_ReferenceMapOfSets.py

  • Reference Map of Maps (incomplete)

  • Reference Table (incomplete)

AQL Usage

ReferenceSets

function: REFERENCESETCONTAINS

SELECT DATEFORMAT(starttime,'YYYY-MM-dd HH:mm:ss') as 'Date',
       sourceIP, destinationIP, username
FROM events
WHERE REFERENCESETCONTAINS('DEMO_UserName',username)

ReferenceMaps

function: REFERENCEMAP

SELECT username, count(*),
       REFERENCEMAP('DEMO_MAP',LOWER(username)) as Full_Name_Of_User
FROM events
GROUP BY username