Topic
  • 3 replies
  • Latest Post - ‏2015-01-20T20:46:59Z by KateM (IBM)
lin-zhao
lin-zhao
28 Posts

Pinned topic QRadar REST API backward compatibility

‏2015-01-20T17:54:44Z |

Hi,

 

My company is developing an application that works with different QRadar versions (7.2.2, 7.2.3, 7.2.4). The REST api version is different on all 3 versions. We have some question about backward compatibility in general.

 

1. Is there a way to call the older API endpoint on a newer server? Something like /v1/ariel/searches on 7.2.4? 

2. Is there a way to get the API or QRadar version number from the REST endpoint?

3. If the answer is no to 1, what's your recommendation for backward compatibility when the user upgrades QRadar from the API point of view? Our need is to export events data out of QRadar. Is there an exporter tool that's not as affected by API changes?

  • KateM (IBM)
    KateM (IBM)
    43 Posts
    ACCEPTED ANSWER

    Re: QRadar REST API backward compatibility

    ‏2015-01-20T20:46:59Z  
    • lin-zhao
    • ‏2015-01-20T19:50:57Z

    On a 7.2.3 server, I did following and receive an error. Did I miss something?

     

    >curl -k --user user:password --header "Version: 0.1" -d "queryExpression=SELECT payload from events between '1 days ago' and now" https://qrdemo3/restapi/api/ariel/searches

    {

    "http_response": 

    {

    "code": 404,

    "message": "We could not find the resource you requested. Please refer to the documentation for the list of resources"

    },

    "code": 6,

    "message": "Resource at relative path (\/ariel\/searches) and request type [POST] is not supported by your requested version (0.1)",

    "description": "",

    "details": {}

    Hi lin-zhao,

     

    I mentioned in my first response:  Specifically to your example,  /ariel/searches , the older version of the ariel API was removed in 7.2.3, this means that for 7.2.3 and 7.2.4 the ariel API endpoitns start at v2.0 only.  That was an exceptional case, typically we will not remove endpoints without a deprecation period.

    Unfortunately, as you're seeing, Ariel API endpoints were an exceptional case, the v0.1 of the API is not available in 7.2.3 and onward. 

  • KateM (IBM)
    KateM (IBM)
    43 Posts

    Re: QRadar REST API backward compatibility

    ‏2015-01-20T19:14:39Z  

    Hello lin-zhao

    1. You certainly call older versions of an API endpoint by using the "Version" header in your requests.  Ex:  if you wanted to call version 2.0 of the GET /siem/offenses endpoint include "Version: 2.0" as a request header.  Without the Version header specified requests are directed to the latest version. I've identified this question as an area that's lacking in our documentation, I'll see what I can do to get that improved.  Specifically to your example,  /ariel/searches , the older version of the ariel API was removed in 7.2.3, this means that for 7.2.3 and 7.2.4 the ariel API endpoitns start at v2.0 only.  That was an exceptional case, typically we will not remove endpoints without a deprecation period. 

    2. Currently no, there is not a REST endpoint to get the QRadar version number of the system.  I recommend opening a request for enhancement if this is a feature you would like to see added to the product. 

    I wasn't sure if you still had a 3rd question based on the response to #1 being yest, let me know if part of that is still unanswered

    Regards,

    Kate

     

     

  • lin-zhao
    lin-zhao
    28 Posts

    Re: QRadar REST API backward compatibility

    ‏2015-01-20T19:50:57Z  

    Hello lin-zhao

    1. You certainly call older versions of an API endpoint by using the "Version" header in your requests.  Ex:  if you wanted to call version 2.0 of the GET /siem/offenses endpoint include "Version: 2.0" as a request header.  Without the Version header specified requests are directed to the latest version. I've identified this question as an area that's lacking in our documentation, I'll see what I can do to get that improved.  Specifically to your example,  /ariel/searches , the older version of the ariel API was removed in 7.2.3, this means that for 7.2.3 and 7.2.4 the ariel API endpoitns start at v2.0 only.  That was an exceptional case, typically we will not remove endpoints without a deprecation period. 

    2. Currently no, there is not a REST endpoint to get the QRadar version number of the system.  I recommend opening a request for enhancement if this is a feature you would like to see added to the product. 

    I wasn't sure if you still had a 3rd question based on the response to #1 being yest, let me know if part of that is still unanswered

    Regards,

    Kate

     

     

    On a 7.2.3 server, I did following and receive an error. Did I miss something?

     

    >curl -k --user user:password --header "Version: 0.1" -d "queryExpression=SELECT payload from events between '1 days ago' and now" https://qrdemo3/restapi/api/ariel/searches

    {

    "http_response": 

    {

    "code": 404,

    "message": "We could not find the resource you requested. Please refer to the documentation for the list of resources"

    },

    "code": 6,

    "message": "Resource at relative path (\/ariel\/searches) and request type [POST] is not supported by your requested version (0.1)",

    "description": "",

    "details": {}

  • KateM (IBM)
    KateM (IBM)
    43 Posts

    Re: QRadar REST API backward compatibility

    ‏2015-01-20T20:46:59Z  
    • lin-zhao
    • ‏2015-01-20T19:50:57Z

    On a 7.2.3 server, I did following and receive an error. Did I miss something?

     

    >curl -k --user user:password --header "Version: 0.1" -d "queryExpression=SELECT payload from events between '1 days ago' and now" https://qrdemo3/restapi/api/ariel/searches

    {

    "http_response": 

    {

    "code": 404,

    "message": "We could not find the resource you requested. Please refer to the documentation for the list of resources"

    },

    "code": 6,

    "message": "Resource at relative path (\/ariel\/searches) and request type [POST] is not supported by your requested version (0.1)",

    "description": "",

    "details": {}

    Hi lin-zhao,

     

    I mentioned in my first response:  Specifically to your example,  /ariel/searches , the older version of the ariel API was removed in 7.2.3, this means that for 7.2.3 and 7.2.4 the ariel API endpoitns start at v2.0 only.  That was an exceptional case, typically we will not remove endpoints without a deprecation period.

    Unfortunately, as you're seeing, Ariel API endpoints were an exceptional case, the v0.1 of the API is not available in 7.2.3 and onward.