Document toolboxDocument toolbox

IBM QRadar

[ 1 Connect QRadar with Devo SOAR ] [ 2 Actions for QRadar ] [ 2.1 Get Offenses ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Get Offense By ID ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 Update Offense ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 2.4 Get Assets ] [ 2.4.1 Input Field ] [ 2.4.2 Output ] [ 2.5 Update Asset ] [ 2.5.1 Input Field ] [ 2.5.2 Output ] [ 2.6 Execute Search ] [ 2.6.1 Input Field ] [ 2.6.2 Output ] [ 2.7 Get Offense Notes ] [ 2.7.1 Input Field ] [ 2.7.2 Output ] [ 2.8 Create Offense Note ] [ 2.8.1 Input Field ] [ 2.8.2 Output ] [ 2.9 List Analytics Rules ] [ 2.9.1 Input Field ] [ 2.9.2 Output ] [ 2.10 Get Analytics Rules By ID ] [ 2.10.1 Input Field ] [ 2.10.2 Output ] [ 2.10.3 List Map Of Sets (Reference Data) ] [ 2.10.4 Input Field ] [ 2.10.5 Output ] [ 2.11 Get Map Of Sets (Reference Data) by Name ] [ 2.11.1 Input Field ] [ 2.11.2 Output ] [ 2.12 Create Map Of Sets (Reference Data) ] [ 2.12.1 Input Field ] [ 2.12.2 Output ] [ 2.13 Update Map Of Sets (Reference Data) ] [ 2.13.1 Input Field ] [ 2.13.2 Output ] [ 2.14 Delete Map Of Sets (Reference Data) ] [ 2.14.1 Input Field ] [ 2.14.2 Output ] [ 2.15 List Map (Reference Data) ] [ 2.15.1 Input Field ] [ 2.15.2 Output ] [ 2.15.3 Get Map (Reference Data) by Name ] [ 2.15.4 Input Field ] [ 2.15.5 Output ] [ 2.16 Create Map (Reference Data) ] [ 2.16.1 Input Field ] [ 2.16.2 Output ] [ 2.17 Update Map (Reference Data) ] [ 2.17.1 Input Field ] [ 2.17.2 Output ] [ 2.18 Delete Map (Reference Data) ] [ 2.18.1 Input Field ] [ 2.18.2 Output ] [ 2.19 List Sets (Reference Data) ] [ 2.19.1 Input Field ] [ 2.19.2 Output ] [ 2.20 Get Set (Reference Data) by Name ] [ 2.20.1 Input Field ] [ 2.20.2 Output ] [ 2.21 Create Set (Reference Data) ] [ 2.21.1 Input Field ] [ 2.21.2 Output ] [ 2.22 Update Set (Reference Data) ] [ 2.22.1 Input Field ] [ 2.22.2 Output ] [ 2.23 Delete Set (Reference Data) ] [ 2.23.1 Input Field ] [ 2.23.2 Output ] [ 2.24 List Tables (Reference Data) ] [ 2.24.1 Input Field ] [ 2.24.2 Output ] [ 2.25 Get Set (Reference Data) by Name ] [ 2.25.1 Input Field ] [ 2.25.2 Output ] [ 2.26 Create Table (Reference Data) ] [ 2.26.1 Input Field ] [ 2.26.2 Output ] [ 2.27 Update Table (Reference Data) ] [ 2.27.1 Input Field ] [ 2.27.2 Output ] [ 2.28 Delete Table (Reference Data) ] [ 2.28.1 Input Field ] [ 2.28.2 Output ] [ 2.29 List Mappings (MITRE Information) ] [ 2.29.1 Input Field ] [ 2.29.2 Output ] [ 2.30 Get Mappings (MITRE Information) By Rule ID ] [ 2.30.1 Input Field ] [ 2.30.2 Output ] [ 2.31 Update Map Bulk (Reference Data) ] [ 2.31.1 Input Field ] [ 2.31.2 Output ] [ 2.32 Get Offenses By Local Destination Address ] [ 2.32.1 Input Field ] [ 2.32.2 Output ] [ 2.33 Get Log Source Type by ID ] [ 2.33.1 Input Field ] [ 2.33.2 Output ] [ 3 Release Notes ]

IBM® QRadar® Security Information and Event Management (SIEM) helps security teams accurately detect and prioritize threats across the enterprise, and it provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents.

Connect QRadar with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for IBM QRadar.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. URL: URL to your IBM QRadar instance.

  9. Authentication Token: Authentication Token for IBM QRadar.

  10. After you've entered all the details, click Connect.

Actions for QRadar

Get Offenses

Get offenses from QRadar

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Start Time

Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000

Optional

End Time

End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000

Optional

Jinja Template for Filter

Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}

Optional

Fields

Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Optional

Range

Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero.

Optional

Sort

Condition for sorting (default is empty value) Example: +field_one,-object(sub_field).

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of offenses

Get Offense By ID

Get offense from QRadar with the given ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

ID

Column name from parent table containing offense ID

Required

Fields

Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Offense object

Update Offense

Update offense in QRadar.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Offense ID

Column name from parent table containing Offense ID.

Required

Assigned To User Column

Column name from parent table containing a user to assign the offense to (Default is Empty value).

Required

Closing Reason ID

Column name from parent table containing the ID of a closing reason (Default is 0 as ID). You must provide a valid closing_reason_id when you close an offense.

Optional

Status

Column name from parent table containing the new status of offense (Default is Empty value). Set to one of OPEN, HIDDEN, CLOSED. When the status of an offense is being set to CLOSED, a valid closing_reason_id must be provided. To hide an offense, use the HIDDEN status. To show a previously hidden offense, use the OPEN status.

Optional

Fields

Comma-separated fields (Default is Empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Updated Offense object.

Get Assets

Get assets from QRadar.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Start Time

Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000.

Optional

End Time

End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000.

Optional

Jinja Template for Filter

Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}.

Optional

Fields

Comma-separated fields (default is Empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of assets

Update Asset

Update Asset by ID from QRadar.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Asset ID

Column name from parent table containing Asset ID.

Required

Asset Body

Column name from parent table containing the JSON representation of an asset.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Asset object

Execute Search

Execute search in QRadar and retrieve results.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Start Time

Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000.

 

End Time

End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000.

 

Jinja Template for Templated Query Expression

Provide jinja-templated query expressions AQL(Ariel Query Language) Example: select * from events where eventcount>{{eventcount_column}}.

 

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Search result

Get Offense Notes

Get offense notes from QRadar.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Offense ID

Column name from parent table containing offense ID.

Required

Start Time

Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000.

Optional

End Time

End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000.

Optional

Jinja Template for Filter

Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}.

Optional

Fields

Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Optional

Range

Range (default is empty value) Example: items=0-5.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of offence notes

Create Offense Note

Create offense note in QRadar.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Offense ID

Column name from parent table containing offense ID.

Required

Note Text Column

Column name from parent table containing note text.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Offence note object

List Analytics Rules

Retrieves a list of analytics rules.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Start Time

Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000.

Optional

End Time

End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000.

Optional

Jinja Template for Filter

Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}.

Optional

Fields

Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Optional

Range

Range (default is empty value). Example: items=0-5.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of analytics rules.

Get Analytics Rules By ID

Retrieves an analytics rule by ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Rule ID

Column name from parent table containing rule ID.

Required

Fields

Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Analytics rule object

List Map Of Sets (Reference Data)

Retrieve a list of all reference map of sets.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Start Time

Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time).

 

Example: 1587448800000.

Optional

 

End Time

End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time).

 

Example: 1587448800000.

Optional

 

Jinja Template for Filter

Provide jinja-templated filter condition (Default is Empty value)

 

Example: status=open and start_time > {{time_column}}.

Optional

 

Fields

Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas.

 

Example: field_one (field_two, field_three),field_four.

Optional

 

Range

Range (Default is Empty value) Example: items=0-5.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of map of sets.

Get Map Of Sets (Reference Data) by Name

Retrieves a map of sets by name.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference map of sets to retrieve.

Required

Fields

Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Map of sets object

Create Map Of Sets (Reference Data)

Create a new reference map of sets.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference map of sets to create.

Required

Key Label

Column name from parent table containing the label to describe the keys.

Required

Value Label

Column name from parent table containing the label to describe the data values.

Required

Element Type

Select the element type for the values allowed in the reference map of sets (Default is ALN (alphanumeric)) Note that date values need to be represented in milliseconds since the Unix Epoch 01 January 1970.

Optional

Timeout Type

Select timeout type (Default is UNKNOWN), This indicates if the time_to_live interval is based on when the data was first seen or last seen.

Optional

Time To Live

The time to live interval, for example: "1 month" or "5 minutes".

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Map of sets object.

Update Map Of Sets (Reference Data)

Add or update an element in a reference map of sets.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference map of sets to add or update an element in.

Required

Key

Column name from parent table containing the key of the set to add or update.

Required

Value

Column name from parent table containing the value to add or update in the reference map of sets.

Required

Source

Column name from parent table containing the source that indicates where the data originated (Default is "reference data api").

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Map of sets object.

Delete Map Of Sets (Reference Data)

Removes a map of sets.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference map of sets to remove.

Required

Purge Only

Select purge behavior (Default is FALSE), This indicates if the reference map of sets should have its contents purged (TRUE), keeping the structure of the object.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Success/Failure message

List Map (Reference Data)

Retrieve a list of all reference map.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Start Time

Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000.

Optional

End Time

End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000.

Optional

Jinja Template for Filter

Provide jinja-templated filter condition (Default is Empty value)

 

Example: status=open and start_time > {{time_column}}.

Optional

 

Fields

Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas.

 

Example: field_one (field_two, field_three),field_four.

Optional

 

Range

Range (default is empty value). Example: items=0-5.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of maps.

Get Map (Reference Data) by Name

Retrieves a map identified by name.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference map to retrieve.

Required

Fields

Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas.

 

Example: field_one (field_two, field_three),field_four.

Optional

 

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Map object

Create Map (Reference Data)

Create a new reference map.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference map to create.

Required

Key Label

Column name from parent table containing the label to describe the keys.

Required

Value Label

Column name from parent table containing the label to describe the data values.

Required

Element Type

Select the element type for the values allowed in the reference map of sets (Default is ALN (alphanumeric)) Note that date values need to be represented in milliseconds since the Unix Epoch 01 January 1970.

Optional

Timeout Type

Select timeout type (default is UNKNOWN), This indicates if the time_to_live interval is based on when the data was first seen or last seen.

Optional

Time To Live

The time to live interval, for example: "1 month" or "5 minutes".

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Map object

Update Map (Reference Data)

Add or update an element in a reference map.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference map to add or update an element in.

Required

Key

Column name from parent table containing the key of the set to add or update.

Required

Value

Column name from parent table containing the value to add or update in the reference map.

Required

Source

Column name from parent table containing the source that indicates where the data originated (Default is "reference data api").

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Map object

Delete Map (Reference Data)

Removes a map.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference map to remove.

Required

Purge Only

Select purge behavior (default is FALSE), This indicates if the reference map of sets should have its contents purged (TRUE), keeping the structure of the object.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Success/Failure message

List Sets (Reference Data)

Retrieve a list of all reference sets.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Start Time

Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000.

Optional

End Time

End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000.

Optional

Jinja Template for Filter

Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}.

Optional

Fields

Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Optional

Range

Range (default is empty value). Example: items=0-5.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of sets

Get Set (Reference Data) by Name

Retrieve the reference set identified by name.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference set to retrieve.

Required

Fields

Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Set object

Create Set (Reference Data)

Create a new reference set.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference set being created.

Required

Value Label

Column name from parent table containing the label to describe the data values.

Required

Element Type

Select the element type for the values allowed in the reference map of sets (Default is ALN (alphanumeric)) Note that date values need to be represented in milliseconds since the Unix Epoch 01 January 1970.

Optional

Timeout Type

Select timeout type (Default is UNKNOWN), This indicates if the time_to_live interval is based on when the data was first seen or last seen.

Optional

Time To Live

The time to live interval, for example: "1 month" or "5 minutes".

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Set object

Update Set (Reference Data)

Add or update an element in a reference set.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference set to add or update an element in.

Required

Value

Column name from parent table containing the value to add or update in the reference set.

Required

Source

Column name from parent table containing the source that indicates where the data originated (Default is "reference data api").

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Set object

Delete Set (Reference Data)

Removes a set.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference set to remove.

Required

Purge Only

Select purge behavior (Default is FALSE), This indicates if the reference map of sets should have its contents purged (TRUE), keeping the structure of the object.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Success/Failure message

List Tables (Reference Data)

Retrieve a list of all reference tables.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Start Time

Start time, epoch timestamp in milliseconds to use in query for the filter (default is batch start time). Example: 1587448800000.

Optional

End Time

End time, epoch timestamp in milliseconds to use in query for the filter (default is batch end time). Example: 1587448800000.

Optional

Jinja Template for Filter

Provide jinja-templated filter condition (Default is Empty value) Example: status=open and start_time > {{time_column}}.

Optional

Fields

Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Optional

Range

Range (default is empty value) Example: items=0-5.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of tables.

Get Set (Reference Data) by Name

Retrieve the reference table identified by name.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference table to retrieve.

Required

Fields

Comma-separated fields (default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one (field_two, field_three),field_four.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Table object.

Create Table (Reference Data)

Create a new reference Table.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference set being created.

Required

Outer Key Label

Column name from parent table containing the label to describe the data values.

Required

Element Type

Select the element type for the values allowed in the reference map of sets (Default is ALN (alphanumeric)) Note that date values need to be represented in milliseconds since the Unix Epoch 01 January 1970.

Optional

Timeout Type

Select timeout type (Default is UNKNOWN), This indicates if the time_to_live interval is based on when the data was first seen or last seen.

Optional

Time To Live

The time to live interval, for example: "1 month" or "5 minutes".

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Table object

Update Table (Reference Data)

Add or update an element in a reference table.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference tables to add or update an element in.

Required

Outer Key

Column name from parent table containing the outer key to add or update.

Required

Inner Key

Column name from parent table containing the inner key to add or update.

Required

Value

Column name from parent table containing the value to add or update in the reference table.

Required

Source

Column name from parent table containing the source that indicates where the data originated (Default is "reference data api").

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Table object.

Delete Table (Reference Data)

Removes a table.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Column name from parent table containing the name of the reference table to remove.

Required

Purge Only

Select purge behavior (default is FALSE), This indicates if the reference map of sets should have its contents purged (TRUE), keeping the structure of the object.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Success/Failure message.

List Mappings (MITRE Information)

Returns all MITRE attack rule mappings in QRadar use case manager.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Use Case Manager ID

Column name from parent table containing the use case manager plugin ID.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: List of mappings.

Get Mappings (MITRE Information) By Rule ID

Returns the rule mappings in QRadar use case manager.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Use Case Manager ID

Column name from parent table containing the use case manager plugin ID.

Required

Rule ID

Column name from parent table containing the rule ID.

Required

Tactic Name

Column name from parent table containing the tactic name.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Mapping object.

Update Map Bulk (Reference Data)

Adds or updates data in a reference map in one go, this action works across entire table.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Name

Name of the reference map to add or update an element in.

Required

Key

Column name from parent table containing the key to add or update in the reference map.

Required

Value

Column name from parent table containing the value to add or update in the reference map.

Required

Fields

Comma-separated fields (Default is empty value). Specify subfields in brackets and multiple fields in the same object are separated by commas. Example: field_one, second_one.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • result: Mapping object.

``` {json}{ "has_error":false, "result":{"name":"S7","timeout_type":"UNKNOWN","creation_time":1593115291310,"time_to_live":"0 years 0 mons 0 days 0 hours 1 mins 0.00 secs","element_type":"ALN","number_of_elements":8}, "error":null }

## Get Offenses By Source Address Retrieve a list of offense source addresses currently in the system. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | | Filter | [Jinja-template](doc:jinja-template) containing filter condition. This parameter is used to restrict the elements in a list base on the contents of various fields. (Default is Empty value). | Required | | Fields | [Jinja-template](doc:jinja-template) containing comma-separated fields. Specify subfields in brackets and multiple fields in the same object are separated by commas (Default is empty value). Example: field_one, second_one. | Required | | Range | Provide the range. Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero (Default is Empty value) e.g. items=0-5. | Required | ### Output A JSON object containing multiple rows of result: ``` {json}[ { "last_event_flow_seen":1631175930971, "network":"other", "source_ip":"104.16.21.35", "first_event_flow_seen":1544298346852, "domain_id":0, "magnitude":0, "offense_ids":[ 40 ], "local_destination_address_ids":[ 3 ], "id":6, "event_flow_count":43457 } ]

Get Offenses By Local Destination Address

Retrieve a list offense local destination addresses currently in the system.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Filter

Jinja-template text containing filter condition. This parameter is used to restrict the elements in a list base on the contents of various fields. (Default is Empty value).

Required

Fields

Jinja-template text containing comma-separated fields. Specify subfields in brackets and multiple fields in the same object are separated by commas(Default is empty value). Example: field_one, second_one.

Required

Range

Provide the range. Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero (Default is Empty value) e.g. items=0-5.

Required

Output

A JSON object containing multiple rows of result:

``` {json}[ { "last_event_flow_seen":1631172764005, "network":"Net-10-172-192.Net_172_16_0_0", "first_event_flow_seen":1544294554145, "domain_id":0, "magnitude":0, "local_destination_ip":"172.19.144.104", "source_address_ids":[ 6 ], "offense_ids":[ 40 ], "id":3, "event_flow_count":308226 } ]

## Get Domains Retrieves the list of all domains, active and deleted (including the default domain). ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | | Filter | [Jinja-template](doc:jinja-template) text containing filter condition. This parameter is used to restrict the elements in a list base on the contents of various fields. (Default is Empty value). | Required | | Fields | [Jinja-template] \(doc:jinja-template) text containing comma-separated fields. Specify subfields in brackets and multiple fields in the same object are separated by commas(Default is empty value). Example: field_one, second_one. | Required | | Range | Provide the range. Use this parameter to restrict the number of elements that are returned in the list to a specified range. The list is indexed starting at zero (Default is Empty value) e.g. items=0-5. | Required | ### Output A JSON object containing multiple rows of result: ``` {json}[ { "event_collector_ids":[ ], "description":"", "log_source_group_ids":[ ], "deleted":false, "asset_scanner_ids":[ ], "custom_properties":[ ], "id":0, "flow_collector_ids":[ ], "tenant_id":0, "log_source_ids":[ ], "flow_source_ids":[ ], "qvm_scanner_ids":[ ], "name":"" } ]

Get Log Source Type by ID

Retrieves the Log Source Type by ID

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

ID

Jinja-templated text containing the Log Source Type ID. Example: {{log_source_type_id}}.

 

Fields

Jinja-templates text containing comma-separated fields. Specify subfields in brackets and multiple fields in the same object are separated by commas (Default is empty value). Example: field_one, {{second_one}}.

 

Output

A JSON object containing the Log Source.

``` {json}{ "custom": true, "default_protocol_id": 42, "id": 42, "internal": true, "log_source_extension_id": 42, "name": "String", "protocol_types": [ { "documented": true, "protocol_id": 42 } ], "supported_language_ids": [ 42 ], "version": "String" }

**Get Offense Type by ID** Retrieves the Offense Type by ID ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :--------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :------- | | ID | [Jinja-templated](doc:jinja-template) text containing the Offense Type ID. Example: {{ibm_qradar_offense_type_id}} | Required | | Fields | [Jinja-templated](doc:jinja-template) text containing comma-separated fields. Specify subfields in brackets and multiple fields in the same object are separated by commas (Default is empty value). Example: field_one, {{second_one}}. | Optional | ### Output A JSON object containing multiple rows of result: ``` {json}{ "custom": true, "database_type": "String", "id": , "name": "String", "property_name": "String" }

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

  • v1.7.3 - Revert the bug fix of v1.7.2.

  • v1.7.2 - Bug fix: Considering time filter in Execute Search action.