User import

Use the APIs to add directory server or reference table imports to the UBA User Import feature.

Entry point

https://<<Qradar ip>>/console/plugins/<UBA app id>/app_proxy/user_import

HTTP Method	Endpoint	Media Type
POST	/cert	multipart/form-data
POST	/imports	application/json

To import from an LDAP server with a certificate authority, complete the following steps.

Get the application UBA app id by either going to UBA Settings in the browser and looking at the URL in the address bar (between "plugins" and "app_proxy") or opening an SSH connection to the QRadar® Console machine and issuing the following: psql -U qradar -c "select id from installed_application where name = 'User Analytics';"
Note: You will use the application id when creating the URL used in the cURL commands.
If you want to create a new directory server import that uses a certificate, use the Cert API to upload the certificate file: curl -X POST -F 'importId=0' -F 'file=@<PATH/TO/CERT/FILE>' -H "Content-Type: multipart/form-data" -H "SEC: <AUTHORIZED_SERVICE_TOKEN>" https://<QR_IP_ADDRESS>/console/plugins/<APP_ID>/app_proxy/user_import/cert
Note: You will use the output of the cURL command in the body of the POST request that creates the new import.
Use the Imports API to create the new import
Enter the following command: curl -X POST -H "Content-Type: application/json" -H "SEC: <AUTHORIZED_SERVICE_TOKEN>" -d '{"pollingInterval": 24,"configName": "<CONFIG_NAME>", "retrievalLimit": 500000, "dataSource":"LDAP", "configLdap": {"filter": "(objectClass=person)", "ssl": false,"host": "<SERVER_IP_OR_HOSTNAME>", "password": "", "username": "", "paged": true,"baseDN": "<BASE_DN>", "ca": {"expiryTime": "<FROM_CERT_API>", "filename":"<FROM_CERT_API>"}, "port": 389}}' https://<QRADAR_IP_ADDRESS>/console/plugins/<APP_ID>/app_proxy/user_import/imports

To import from an LDAP server without a certificate file, complete the following steps.

Get the application UBA app id by either going to UBA Settings in the browser and looking at the URL in the address bar (between "plugins" and "app_proxy") or opening an SSH connection to the QRadar Console machine and issuing the following: psql -U qradar -c "select id from installed_application where name = 'User Analytics';"
Note: You will use the application id when creating the URL used in the cURL commands.
Use the Imports API to create the new import
Enter the following command: curl -X POST -H "Content-Type: application/json" -H "SEC: <AUTHORIZED_SERVICE_TOKEN>" -d '{"pollingInterval": 24,"configName": "<CONFIG_NAME>", "retrievalLimit": 500000, "dataSource":"LDAP", "configLdap": {"filter": "(objectClass=person)", "ssl": false,"host": "<SERVER_IP_OR_HOSTNAME>", "password": "", "username": "", "paged": true,"baseDN": "<BASE_DN>", "ca": {"expiryTime": "", "filename":""}, "port": 389}}' https://<QRADAR_IP_ADDRESS>/console/plugins/<APP_ID>/app_proxy/user_import/imports

To import from a reference table, complete the following steps

Get the application UBA app id by either going to UBA Settings in the browser and looking at the URL in the address bar (between "plugins" and "app_proxy") or opening an SSH connection to the QRadar Console machine and entering the following command: psql -U qradar -c "select id from installed_application where name = 'User Analytics';"
Note: You will use the application id when creating the URL used in the cURL commands.
Most users choose to use the web interface to create a new reference table import. However, the Imports API is also supported.
Note: The reference table must already exist on the QRadar system and must be used as the CONFIG_NAME
Enter the following command: curl -X POST -d '{"pollingInterval": 24, "configName": "<CONFIG_NAME>","retrievalLimit": 500000, "dataSource": "REF"}' -H "Content-Type:application/json" -H "SEC: <AUTHORIZED_SERVICE_TOKEN>" https://<QRADAR_IP_ADDRESS>/console/plugins/<APP_ID>/app_proxy/user_import/imports