Use the IBM
Security QRadar
Lookups Content Extension to closely monitor your Lookups deployment.
Important: To avoid content errors in this content extension, keep the associated DSMs
up to date. DSMs are updated as a part of the automatic updates. If automatic updates are not
enabled, download the most recent version of the associated DSMs from
IBM® Fix Central (https://www.ibm.com/support/fixcentral).
IBM
Security QRadar Lookups
Content Extension V1.0.1
Internal changes with no user impact.
(Back to top)
IBM
Security QRadar Lookups
Content Extension V1.0.0
The following table shows the custom functions that are new or updated in IBM
Security QRadar Lookups Content Extension
V1.0.0.
Table 1. Custom Functions in IBM
Security QRadar Lookups Content Extension
V1.0.0
Name |
Description |
LOOKUPS::CONTAINS( <URL>, <VALUE>, <HTTP HEADERS> ) |
Returns TRUE if the VALUE is contained in the data structure that is located at the specified
URL. Supports either a plain-text file or a JSON file with an array in it. HTTP HEADERS is a JSON
structure that passes in authentication information or other headers, if required.
- URL
- A fully qualified URL that points at the resource to be loaded into the lookup. The URL must be
accessible by the QRadar
Console, and by
any QRadar event processors
and flow processors.
- The response of the URL retrieval is treated as a text file. Each line in the response is loaded
as a value in the lookup.
- Example: https://192.0.2.0/md5_blacklist.txt
- VALUE
- The value to look for in the lookup. In most situations the value is a property of an event or a
flow.
- Example: File_Hash
- HTTP HEADERS
- A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header
to the request that fetches the lookup so that you can pass information such as authentication
credentials.
- Example: ‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’
Example:
SELECT sourceIP, destinationIP, username, File_Hash
FROM events
WHERE LOOKUPS::CONTAINS(‘https://192.0.2.0/md5_blacklist.txt’, File_Hash,
‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’
|
LOOKUPS::MATCH( <URL>, <VALUE>, <HTTP HEADERS> ) |
Returns the regular expression that matches if the VALUE matches any of the regular expressions
that are contained in the data structure that is located at the specified URL. Supports either a
plain-text file or the QRadar
reference set API. HTTP HEADERS is a JSON structure that passes in authentication information or
other headers, if required.
- URL
- A fully qualified URL that points at the resource to be tested. The URL must be accessible by
the QRadar
Console, and by any QRadar event processors and flow
processors.
- The response of the URL retrieval can be one of these formats:
- A plain text file. Each line in the response is loaded as a regular expression in the lookup.
- A JSON file that contains a single list entry. Each entry in the list is loaded as a regular
expression in the lookup.
- A URL pointing at the QRadar reference set API. Each
entry in the reference set is loaded as a regular expression in the lookup.
- Example: https://example.com/api/reference_data/sets/url_blacklist
- VALUE
- The value to look for regular expression matches in the lookup. In most situations the value is
a property of an event or a flow.
- Example: URL
- HTTP HEADERS
- A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header
to the request that fetches the lookup that passes information such as authentication credentials.
- Example: ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’
Example:
SELECT sourceIP, destinationIP, username, File_Hash
FROM events
WHERE LOOKUPS::MATCH(‘https://example.com/api/reference_data/sets/url_blacklist’,
URL, ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’)
IS NOT NULL
|
LOOKUPS::CIDRLIST( <URL>, <VALUE>, <HTTP HEADERS> ) |
Returns the matching Classless Inter-Domain Routing (CIDR) if the VALUE matches any of the CIDR
expressions that are contained in the data structure that is located at the specified URL. Supports
either a plain-text file, or the QRadar reference set API. HTTP
HEADERS is a JSON structure that passes in authentication information or other headers, if required.
- URL
- A fully qualified URL that points at the resource to be tested. The URL must be accessible by
the QRadar
Console, and by any QRadar event processors and flow
processors.
- The response of the URL retrieval can be one of these formats:
- A plain text file. Each line in the response is loaded as a CIDR expression in the lookup.
- A JSON file that contains a single list entry. Each entry in the list is loaded as a CIDR
expression in the lookup.
- A URL pointing at the QRadar reference set API. Each entry in the reference set is loaded as a
CIDR expression in the lookup.
- Example: https://example.com/api/reference_data/sets/cidr_blacklist
- VALUE
- The value to look for CIDR expression matches in the lookup. In most situations the value is a
property of an event or a flow that resolves to an IP address.
- Example: sourceIP
- HTTP HEADERS
- A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header
to the request that fetches the lookup, that passes information such as authentication credentials.
- Example: ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’
Example:
SELECT sourceIP, destinationIP, username, File_Hash
FROM events
WHERE LOOKUPS::CIDRLIST(‘https://example.com/api/reference_data/sets
/cidr_blacklist’, sourceIP, ‘{“SEC”:”abcde-abcde-abcde-abcde-abcde”}’)
IS NOT NULL
|
LOOKUPS::MATCH_CSV( <URL>, <INDEX>, <VALUE>, <HTTP HEADERS>
) |
Returns the matching expression if the VALUE matches any of the regular expressions that are
contained in the column referenced by INDEX in the CSV at the specified URL. Supports a CSV file
that contains columns, of which one is a regular expression. HTTP HEADERS is a JSON structure that
allows you to pass in authentication information or other headers, if required.
- URL
- A fully qualified URL that points at the resource to be loaded into the lookup. The URL must be
accessible by the QRadar
Console, and by
any QRadar event processors
and flow processors.
- The response of the URL retrieval must be a CSV file. The INDEX field in each row is loaded as a
regular expression in the lookup.
- Example: https://192.0.2.0/blacklist.csv
- INDEX
- The field number of each row that should be loaded into the lookup
- Example: 2
- VALUE
- The value to look for in the lookup. In most situations the value is a property of an event or a
flow.
- Example: File_Hash
- HTTP HEADERS
- A string that contains JSON key-value pairs. Each key-value pair is appended as an HTTP header
to the request that fetches the lookup that passes information such as authentication credentials.
- Example: ‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’
Example:
SELECT sourceIP, destinationIP, username, File_Hash
FROM events
WHERE LOOKUPS::MATCH_CSV(‘http://192.0.2.0/blacklist.csv’, 2, userName,
‘{“Authorization”:”abcde-abcde-abcde-abcde-abcde”}’)
IS NOT NULL
|
(Back to top)