QRadar API

Examples of QRadar API using Python and PowerShell (PowerShell Core as I needed to use the SkipCertificateCheck switch for our test environment).

All examples are utilized with IBM QRadar Community Edition running on CentOS Minimal

Ariel
- searches
  - Pass AQL
- List Databases
Offenses
- List
  - QRadar_List_Offenses.py
  - QRadar_List_Offenses.ps1
Reference Data
- Reference Sets (The only reference collection you can manage in the web console)
- Reference Maps
- Reference Map of Sets
  - Create
    - QRadar_Create_ReferenceMapOfSets.py
  - Add
    - QRadar_Add_ReferenceMapOfSets.py
    - QRadar_Add_Bulk_ReferenceMapOfSets.py
  - List
    - QRadar_List_ReferenceMapOfSets.py
- Reference Map of Maps (incomplete)
- Reference Table (incomplete)

AQL Usage

ReferenceSets

function: REFERENCESETCONTAINS

SELECT DATEFORMAT(starttime,'YYYY-MM-dd HH:mm:ss') as 'Date',
       sourceIP, destinationIP, username
FROM events
WHERE REFERENCESETCONTAINS('DEMO_UserName',username)

ReferenceMaps

function: REFERENCEMAP

SELECT username, count(*),
       REFERENCEMAP('DEMO_MAP',LOWER(username)) as Full_Name_Of_User
FROM events
GROUP BY username

About

Using QRadar API

Languages

Language:Python 67.5%Language:PowerShell 32.5%