Topic
  • 17 replies
  • Latest Post - ‏2015-12-17T21:30:14Z by Jonathan.Pechta (IBM)
Jonathan.Pechta (IBM)
39 Posts

Pinned topic QRadar API -The basics

‏2014-01-29T17:18:46Z |

 

The basics:

In QRadar 7.2 MR1, a framework was added to help make HTTPS queries easy for API developers through the implementation of a user interface for the API. This API framework allows customers to input information, click test, and receive properly formatted HTTPS URL, expected responses, header information, error information, schema information, and more for the input format for your put, get, post, or delete commands. The over all goal is to provide an API and a framework that helps administrators/programmers understand how to work with the API.

 

How to access the API:

Access to the API requires authentication. QRadar admin accounts should automatically have the user role for the API enabled.

 

To access the QRadar Restful API, you can type the following URL in to your browser:

https://ConsoleIPaddress/restapi/doc/

This URL prompts the user to verify the security credentials for the site and to authenticate as a QRadar users. A user account is required to access the QRadar API.

 

What should I see after I log in?

After you log in, the API options displayed can depend on the products you have licensed. As QRadar and QRadar Vulnerability Manager have API implementations.

  • QRadar provides a /referencedata, /auth, and /help. These menus are expandable and display the get, post, and delete commands.
  • QRadar Vulnerability Manager provides /qvm and /scanner. These menus allow you to query QRadar Vulnerability Manager for data or put data in QVM to update remediation for an assigned vulnerability. The /scanner API provides administrators a way to work with scan profiles through the API.

 

The goal of this forum is to provide information and knowledge to assist administrators with QRadar API questions.

 

Updated on 2014-02-01T19:04:15Z at 2014-02-01T19:04:15Z by Jonathan.Pechta (IBM)
  • mcalvi91
    mcalvi91
    2 Posts

    Re: QRadar API -The basics

    ‏2014-01-31T15:52:44Z  

    Good deal. we have been waiting on this a while.

    Can you give some information on what the "provisional" tag means for the various APIs and where the documentation of what the API call does?

  • Jonathan.Pechta (IBM)
    39 Posts

    Re: QRadar API -The basics

    ‏2014-02-01T19:12:56Z  
    • mcalvi91
    • ‏2014-01-31T15:52:44Z

    Good deal. we have been waiting on this a while.

    Can you give some information on what the "provisional" tag means for the various APIs and where the documentation of what the API call does?

    mcalvi91,

     

    We are working on a FAQ page and codes samples that we want to get posted soon. After we post the FAQ, we will be updating the post with additional customer questions and answers as a sticky post for this forum.

    To answer your question, the provisional tag indicates that these API fields are provisional and subject to arbitrary change or removal without any notice.

     

  • lukaszf
    lukaszf
    1 Post

    Re: QRadar API -The basics

    ‏2014-02-06T15:23:57Z  

    Introducing the REST API in QRadar is a really nice faeture because it provides more possibilities and more flexibility to any integration attempts with external systems.
    But it seems that something is missing here. Where are methods which allow to read Offense details?
    In my opinion two additional methods could be very useful in case of Offenses: GET (read offense details) and PUT (update offense state, add note etc.)
    For example, an integration with external Service Desk system (as long as it supports REST API) would become much easier and straightforward.
     

  • PeterManahan
    PeterManahan
    15 Posts

    Re: QRadar API -The basics

    ‏2014-02-06T16:41:54Z  
    • lukaszf
    • ‏2014-02-06T15:23:57Z

    Introducing the REST API in QRadar is a really nice faeture because it provides more possibilities and more flexibility to any integration attempts with external systems.
    But it seems that something is missing here. Where are methods which allow to read Offense details?
    In my opinion two additional methods could be very useful in case of Offenses: GET (read offense details) and PUT (update offense state, add note etc.)
    For example, an integration with external Service Desk system (as long as it supports REST API) would become much easier and straightforward.
     

    The intent is to add more and more API's for various aspects of the product each release and to evolve the existing ones as they get used. Although the set of API's today is limited over time it will grow.  API's for offences are one of the area's we will be looking at.

  • pjl
    pjl
    7 Posts

    Re: QRadar API -The basics

    ‏2014-03-13T16:32:07Z  

    I can't tell you how happy I am to finally see web services in QRadar! This is such a huge step forward for the platform!

     

    When I try to use /sets/bulkLoad from the "Try It Now!" page (which uses cookies for authentication), the web service works correctly.  However, with Basic Authorization, the web service does a 302 redirect which eventually ends in an error. I've posted the request/response pairs for "Try It Now!" and Basic Auth below. Is this a known issue or am I doing something incorrectly?

     

    Try it out: (works correctly)

    POST /restapi/api/referencedata/sets/bulkLoad/FormerEmployees HTTP/1.1
    Host: logserver.local
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
    Accept: application/json
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=UTF-8
    Version: 0.1
    X-Requested-With: XMLHttpRequest
    Referer: https://logserver.local/restapi/doc
    Content-Length: 7
    Cookie: JSESSIONID=333333333333333333; SEC=4444444444444444444; ColDefSection=block
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache

    ["gus"]


    HTTP/1.1 200 OK
    Date: Thu, 13 Mar 2014 16:15:40 GMT
    Cache-Control: no-cache, no-store, must-revalidate
    Pragma: no-cache
    Expires: 0
    Content-Type: application/json
    Keep-Alive: timeout=15, max=100
    Connection: Keep-Alive
    Content-Length: 126

    {"name":"FormerEmployees","elementType":"ALN","createdTime":1394658674828,
      "timeoutType":"FIRST_SEEN","numberOfElements":6}
     
     
     
    Basic Authorization: (Fails)

    POST /restapi/api/referencedata/sets/bulkLoad/FormerEmployees HTTP/1.1
    Host: logserver.local
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
    Accept: application/json
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=UTF-8
    Version: 0.1
    X-Requested-With: XMLHttpRequest
    Referer: https://logserver.local/restapi/doc
    Content-Length: 7
    Authorization: Basic c19XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXvaU55blEyYg==
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache

    ["gus"]


    HTTP/1.1 302 Found
    Date: Thu, 13 Mar 2014 16:16:48 GMT
    Set-Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; Path=/restapi; Secure
    Set-Cookie: SEC=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY; Path=/restapi; Secure
    Location: https://logserver.local/restapi/api/referencedata/sets/bulkLoad/FormerEmployees;JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Content-Length: 0
    Cache-Control: max-age=1209600
    Expires: Thu, 27 Mar 2014 16:16:48 GMT
    Keep-Alive: timeout=15, max=100
    Connection: Keep-Alive
    Content-Type: text/plain; charset=UTF-8


    GET /restapi/api/referencedata/sets/bulkLoad/FormerEmployees;JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1
    Host: logserver.local
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
    Accept: application/json
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: https://logserver.local/restapi/doc
    X-Requested-With: XMLHttpRequest
    Version: 0.1
    Content-Type: application/json
    Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; SEC=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY; ColDefSection=block
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache

    HTTP/1.1 404 Not Found
    Date: Thu, 13 Mar 2014 16:17:23 GMT
    Set-Cookie: JSESSIONID=ZZZZZZZZZZZZZZZZZZZZZZZ; Path=/restapi; Secure
    Cache-Control: no-cache, no-store, must-revalidate
    Pragma: no-cache
    Expires: 0
    Content-Type: application/json
    Content-Length: 351
    Keep-Alive: timeout=15, max=100
    Connection: Keep-Alive

    {
        "httpResponse":
        {
            "code": 404,
            "message": "We could not find the resource you requested. Please refer to the documentation for the list of resources"
        },
        "code": 5,
        "message": "HTTP method [GET] is not supported by the endpoint at the given relative path (/referencedata/sets/bulkLoad/FormerEmployees)",
        "description": "",
        "details": {}
    }

     

     

    Updated on 2014-03-13T16:34:05Z at 2014-03-13T16:34:05Z by pjl
  • pjl
    pjl
    7 Posts

    Re: QRadar API -The basics

    ‏2014-03-13T16:47:20Z  

    mcalvi91,

     

    We are working on a FAQ page and codes samples that we want to get posted soon. After we post the FAQ, we will be updating the post with additional customer questions and answers as a sticky post for this forum.

    To answer your question, the provisional tag indicates that these API fields are provisional and subject to arbitrary change or removal without any notice.

     

    Jonathan,

    Can you offer any guidance on when the FAQ and code samples will become available? This will be most useful to me.

     

    Thanks,

    Paul

  • pjl
    pjl
    7 Posts

    Re: QRadar API -The basics

    ‏2014-03-13T17:02:46Z  

    The intent is to add more and more API's for various aspects of the product each release and to evolve the existing ones as they get used. Although the set of API's today is limited over time it will grow.  API's for offences are one of the area's we will be looking at.

    Here are some additional web services to consider:

    Create/Modify/Delete/Enumerate Log Sources
      (log source enumeration should include full detail, including assigned parsing enhancements)

    Create/Modify/Delete Log Source Groups

    Assign/Remove a Log Source From A Log Source Group

    Enumerate Log Source Group Membership

    Submit Bulk Asset Data (allow additional attributes to be defined, as opposed to discovered)

    Create/Modify/Delete/Enumerate Users

    Create/Modify/Delete/Enumerate Networks

    Perform Log Searches

    Detect the need to deploy changes
    Ability to deploy changes

  • KateM (IBM)
    KateM (IBM)
    43 Posts

    Re: QRadar API -The basics

    ‏2014-03-20T13:04:23Z  
    • pjl
    • ‏2014-03-13T16:32:07Z

    I can't tell you how happy I am to finally see web services in QRadar! This is such a huge step forward for the platform!

     

    When I try to use /sets/bulkLoad from the "Try It Now!" page (which uses cookies for authentication), the web service works correctly.  However, with Basic Authorization, the web service does a 302 redirect which eventually ends in an error. I've posted the request/response pairs for "Try It Now!" and Basic Auth below. Is this a known issue or am I doing something incorrectly?

     

    Try it out: (works correctly)

    POST /restapi/api/referencedata/sets/bulkLoad/FormerEmployees HTTP/1.1
    Host: logserver.local
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
    Accept: application/json
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=UTF-8
    Version: 0.1
    X-Requested-With: XMLHttpRequest
    Referer: https://logserver.local/restapi/doc
    Content-Length: 7
    Cookie: JSESSIONID=333333333333333333; SEC=4444444444444444444; ColDefSection=block
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache

    ["gus"]


    HTTP/1.1 200 OK
    Date: Thu, 13 Mar 2014 16:15:40 GMT
    Cache-Control: no-cache, no-store, must-revalidate
    Pragma: no-cache
    Expires: 0
    Content-Type: application/json
    Keep-Alive: timeout=15, max=100
    Connection: Keep-Alive
    Content-Length: 126

    {"name":"FormerEmployees","elementType":"ALN","createdTime":1394658674828,
      "timeoutType":"FIRST_SEEN","numberOfElements":6}
     
     
     
    Basic Authorization: (Fails)

    POST /restapi/api/referencedata/sets/bulkLoad/FormerEmployees HTTP/1.1
    Host: logserver.local
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
    Accept: application/json
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/json; charset=UTF-8
    Version: 0.1
    X-Requested-With: XMLHttpRequest
    Referer: https://logserver.local/restapi/doc
    Content-Length: 7
    Authorization: Basic c19XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXvaU55blEyYg==
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache

    ["gus"]


    HTTP/1.1 302 Found
    Date: Thu, 13 Mar 2014 16:16:48 GMT
    Set-Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; Path=/restapi; Secure
    Set-Cookie: SEC=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY; Path=/restapi; Secure
    Location: https://logserver.local/restapi/api/referencedata/sets/bulkLoad/FormerEmployees;JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Content-Length: 0
    Cache-Control: max-age=1209600
    Expires: Thu, 27 Mar 2014 16:16:48 GMT
    Keep-Alive: timeout=15, max=100
    Connection: Keep-Alive
    Content-Type: text/plain; charset=UTF-8


    GET /restapi/api/referencedata/sets/bulkLoad/FormerEmployees;JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX HTTP/1.1
    Host: logserver.local
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
    Accept: application/json
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: https://logserver.local/restapi/doc
    X-Requested-With: XMLHttpRequest
    Version: 0.1
    Content-Type: application/json
    Cookie: JSESSIONID=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX; SEC=YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY; ColDefSection=block
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache

    HTTP/1.1 404 Not Found
    Date: Thu, 13 Mar 2014 16:17:23 GMT
    Set-Cookie: JSESSIONID=ZZZZZZZZZZZZZZZZZZZZZZZ; Path=/restapi; Secure
    Cache-Control: no-cache, no-store, must-revalidate
    Pragma: no-cache
    Expires: 0
    Content-Type: application/json
    Content-Length: 351
    Keep-Alive: timeout=15, max=100
    Connection: Keep-Alive

    {
        "httpResponse":
        {
            "code": 404,
            "message": "We could not find the resource you requested. Please refer to the documentation for the list of resources"
        },
        "code": 5,
        "message": "HTTP method [GET] is not supported by the endpoint at the given relative path (/referencedata/sets/bulkLoad/FormerEmployees)",
        "description": "",
        "details": {}
    }

     

     

    Hi pjl,

    Thank you for bringing up this issue, we will add something in our API FAQs to provide additional information for API authentication.  From the information you posted, your issue appears to be that you are following the HTTP redirects when the first request you are making is a POST request.  The following URI only supports HTTP post requests: https://logserver.local/restapi/api/referencedata/sets/bulkLoad/{name}.  

    When you follow the redirect you are issuing a GET request, which is why you are seeing the 404 response code with the message "HTTP method [GET] is not supported by the endpoint at the given relative path (/referencedata/sets/bulkLoad/FormerEmployees) "  

    There are a couple things you can do to resolve this issue

    • Continue to follow the HTTP redirects, do the same steps as you outlined in your post, and then send another POST request to the bulkLoad URI supplying the JSESSIONID and SEC cookies in the request
    • You can send an initial GET request (to one of the API endpoints that supports GET) in order to authenticate for the API. In this instance, following the redirect will not produce the issue that you are experiencing and you can send your POST request to the bulkLoad URI supplying the JSESSIONID and SEC cookies
    • You can adjust your client code to turn off following HTTP redirects, which would allow you to receive the HTTP 302 Found response indicating you are authenticated. Then you can send  your POST request to https://logserver.local/restapi/api/referencedata/sets/bulkLoad including the JSESSIONID and SEC cookies
    Updated on 2014-03-20T13:04:54Z at 2014-03-20T13:04:54Z by KateM (IBM)
  • KateM (IBM)
    KateM (IBM)
    43 Posts

    Re: QRadar API -The basics

    ‏2014-03-20T13:07:20Z  
    • pjl
    • ‏2014-03-13T17:02:46Z

    Here are some additional web services to consider:

    Create/Modify/Delete/Enumerate Log Sources
      (log source enumeration should include full detail, including assigned parsing enhancements)

    Create/Modify/Delete Log Source Groups

    Assign/Remove a Log Source From A Log Source Group

    Enumerate Log Source Group Membership

    Submit Bulk Asset Data (allow additional attributes to be defined, as opposed to discovered)

    Create/Modify/Delete/Enumerate Users

    Create/Modify/Delete/Enumerate Networks

    Perform Log Searches

    Detect the need to deploy changes
    Ability to deploy changes

    Hi pjl,

    Thank you for your feedback regarding API functionality you would like to see.  We will certainly take these into account as we look to expand our API offerings.

  • pjl
    pjl
    7 Posts

    Re: QRadar API -The basics

    ‏2014-03-25T20:51:38Z  
    • lukaszf
    • ‏2014-02-06T15:23:57Z

    Introducing the REST API in QRadar is a really nice faeture because it provides more possibilities and more flexibility to any integration attempts with external systems.
    But it seems that something is missing here. Where are methods which allow to read Offense details?
    In my opinion two additional methods could be very useful in case of Offenses: GET (read offense details) and PUT (update offense state, add note etc.)
    For example, an integration with external Service Desk system (as long as it supports REST API) would become much easier and straightforward.
     

    I agree that being able to manipulate offense data via web service would be really useful.

     

     

     

  • Natalia_Razinkov
    Natalia_Razinkov
    5 Posts

    Re: QRadar API -The basics

    ‏2014-04-29T13:04:17Z  

    Hi pjl,

    Thank you for bringing up this issue, we will add something in our API FAQs to provide additional information for API authentication.  From the information you posted, your issue appears to be that you are following the HTTP redirects when the first request you are making is a POST request.  The following URI only supports HTTP post requests: https://logserver.local/restapi/api/referencedata/sets/bulkLoad/{name}.  

    When you follow the redirect you are issuing a GET request, which is why you are seeing the 404 response code with the message "HTTP method [GET] is not supported by the endpoint at the given relative path (/referencedata/sets/bulkLoad/FormerEmployees) "  

    There are a couple things you can do to resolve this issue

    • Continue to follow the HTTP redirects, do the same steps as you outlined in your post, and then send another POST request to the bulkLoad URI supplying the JSESSIONID and SEC cookies in the request
    • You can send an initial GET request (to one of the API endpoints that supports GET) in order to authenticate for the API. In this instance, following the redirect will not produce the issue that you are experiencing and you can send your POST request to the bulkLoad URI supplying the JSESSIONID and SEC cookies
    • You can adjust your client code to turn off following HTTP redirects, which would allow you to receive the HTTP 302 Found response indicating you are authenticated. Then you can send  your POST request to https://logserver.local/restapi/api/referencedata/sets/bulkLoad including the JSESSIONID and SEC cookies

    Hi Kate,

    do you know when the API FAQ  and samples page will be available?
    I connect to our lab QRadar rest from java and actually I am getting the same as via QRadar rest page, only lists of things aka filters, sets, etc, but I never managed to get the content itself. Is there any  API used to fetch data into QRadar JSPs? I guess these will be GET methods I am looking for.

  • PeterManahan
    PeterManahan
    15 Posts

    Re: QRadar API -The basics

    ‏2014-05-01T12:44:04Z  

    Hi Kate,

    do you know when the API FAQ  and samples page will be available?
    I connect to our lab QRadar rest from java and actually I am getting the same as via QRadar rest page, only lists of things aka filters, sets, etc, but I never managed to get the content itself. Is there any  API used to fetch data into QRadar JSPs? I guess these will be GET methods I am looking for.

    Hi,

        Can you clarify your question? I am not sure what you mean by fetching data into QRadar JSP's and more specifically what "content" you are looking for.

    <yourqradarurl>/restapi/doc  describes all the available endpoints and the GET methods are listed there. So for example

    using 
    
    referencedata/mapOfSets 
    
    returns a list of sets that are on the system which you can then query each set with
    
    
    
    
    referencedata/mapOfSets/<setname> 
    to get the contents of a set.
    
  • Jonathan.Pechta (IBM)
    39 Posts

    Re: QRadar API -The basics

    ‏2014-05-01T13:00:01Z  

    Hi Kate,

    do you know when the API FAQ  and samples page will be available?
    I connect to our lab QRadar rest from java and actually I am getting the same as via QRadar rest page, only lists of things aka filters, sets, etc, but I never managed to get the content itself. Is there any  API used to fetch data into QRadar JSPs? I guess these will be GET methods I am looking for.

    Natalia_Razinkov,

     

    We plan to have the code samples and the FAQ posted in about a week. When we post up the new content, I will start a new topic so administrators can ask questions under the post. 

  • Natalia_Razinkov
    Natalia_Razinkov
    5 Posts

    Re: QRadar API -The basics

    ‏2014-05-01T13:56:35Z  

    Hi,

        Can you clarify your question? I am not sure what you mean by fetching data into QRadar JSP's and more specifically what "content" you are looking for.

    <yourqradarurl>/restapi/doc  describes all the available endpoints and the GET methods are listed there. So for example

    <pre dir="ltr">using referencedata/mapOfSets returns a list of sets that are on the system which you can then query each set with </pre> <pre dir="ltr"> referencedata/mapOfSets/<setname> to get the contents of a set. </pre>

    Peter,
    I tried referencedata/mapOfSets/<setname>

    both from GUI and my java code, getting number of elements 0, I was not sure if I am using this correctly.
    After your reply I think it is either actually empty or has some issue.

    1) In the nearest future I will need to get offenses and associated events via API to use for mitigation analysis
    2) As well as to update assets with the missing details, e.g., Business Owner field from another non-QRadar source on regular basis via API each time a new asset discovered

    Thus I was asking about API which populates offenses page - I need this data into my java app to continue the analysis.
    Actually the best thing would be to have appropriate qradar SDK in my development environment: can be another way to get the data instead of REST. Any help in discovering this would be appreciated.

    Thanks,
    Natalie

  • Natalia_Razinkov
    Natalia_Razinkov
    5 Posts

    Re: QRadar API -The basics

    ‏2014-05-01T13:57:56Z  

    Natalia_Razinkov,

     

    We plan to have the code samples and the FAQ posted in about a week. When we post up the new content, I will start a new topic so administrators can ask questions under the post. 

    Great, will wait for this. Thanks, Jonathan!

  • PaulKlotka
    PaulKlotka
    1 Post

    Re: QRadar API -The basics

    ‏2015-12-17T20:28:59Z  

    Is there any documentation about the API that is available without QRadar. I'd like to know what is possible but I don't have access to a QRadar application.

     

    Thanks,

    Paul

  • Jonathan.Pechta (IBM)
    39 Posts

    Re: QRadar API -The basics

    ‏2015-12-17T21:30:14Z  

    Is there any documentation about the API that is available without QRadar. I'd like to know what is possible but I don't have access to a QRadar application.

     

    Thanks,

    Paul

    Yes, see the PDF Guide here: http://public.dhe.ibm.com/software/security/products/qradar/documents/7.2.6/en/b_qradar_api.pdf. The PDF is publicly facing documentation that you can read through. It is also available in the Knowledge Center, here: http://www.ibm.com/support/knowledgecenter/SS42VS_7.2.6/com.ibm.qradar.doc/c_rest_api_getting_started.html

    There are also API sample scripts that will be posted soon for QRadar 7.2.6 new features, which would be worth reviewing to learn about the QRadar API. You can download existing 7.2.5 sample scripts from this forum as well. They are posted in the pinned topic at the top of this forum.

     

    If you have further questions, let me know.

     

    *Edit to add the link to the knowledge center.

    Updated on 2015-12-17T21:43:56Z at 2015-12-17T21:43:56Z by Jonathan.Pechta (IBM)