Public API endpoints

IBM® QRadar® Use Case Manager provides APIs that you can use to interact with the data.

Use Case Explorer

Endpoint	Description
POST: /api/use_case_explorer	Generates a Use Case Explorer report.
GET: /api/use_case_explorer/{reportId}/status	Checks the status of a Use Case Explorer report.
GET: /api/use_case_explorer/{reportId}/result	Returns the results of the Use Case Explorer result as a JSON array page by page.
POST: /api/use_case_explorer/{reportId}/download_csv	Starts a job to download a Use Explorer report as a CSV file.
GET: /api/use_case_explorer/download_csv/{jobId}/status	Checks the status of a Use Case Explorer CSV file download job.
GET: /api/use_case_explorer/download_csv/{jobId}/result	Returns the results of the Use Case Explorer download CSV job.
POST: /api/use_case_explorer/{reportId}/download_json	Starts a job to download Use Case Explorer report as a JSON file.
GET: /api/use_case_explorer/download_json/{jobId}/status	Checks the status of a Use Case Explorer JSON file download job.
GET: /api/use_case_explorer/download_json/{jobId}/result	Returns the results of the Use Case Explorer download JSON job.
POST: /api/rules_export/html/{reportId}/download_report	Starts a job to download Use Case Explorer rules as a compressed HTML report. Important: Requires passing the same SEC token as QRadar Use Case Manager in the request header.
GET: /api/rules_export/html/download_report/{jobId}/status	Checks the status of a Use Case Explorer compressed HTML report download job.
GET: /api/rules_export/html/download_report/{jobId}/result	Returns the results of the Use Case Explorer download compressed HTML report job.

Log source coverage

Endpoint	Description
GET: /api/log_source_types/activity_and_current_rules_count	Returns information on rule-log source type activity and current coverage.
GET: /api/log_source_types/current_and_potential_rules_count	Returns information on current and potential rule-log source type coverage.

MITRE endpoints

Endpoint	Description
POST: /api/custom_mitre_group_technique	Upload custom MITRE group-technique file.
GET: /api/mappings	Returns all MITRE ATT&CK rule mappings in QRadar Use Case Manager.
POST: /api/mappings	Imports previously created mappings into QRadar Use Case Manager. Important: Requires passing the same SEC token as QRadar Use Case Manager in the request header.
DELETE: /api/mappings	Deletes any customized rule mappings in QRadar Use Case Manager and resets the mappings back to the IBM default. Important: Requires passing the same SEC token as QRadar Use Case Manager in the request header.
GET: /api/mappings/by_name	Returns the rule mappings in QRadar Use Case Manager.
POST: /api/mappings/by_name	Creates new rule mappings in QRadar Use Case Manager.
DELETE: /api/mappings/by_name	Deletes the rule mappings in QRadar Use Case Manager by rule ID. Important: Requires passing the same SEC token as QRadar Use Case Manager in the request header.
GET: /api/mitre/mitre_coverage/{ruleUUID}	Returns all rule and child mappings in QRadar Use Case Manager by rule UUID.
GET: /api/mappings/tactics	Returns all MITRE ATT&CK tactics and techniques in QRadar Use Case Manager.
GET: /api/mappings/tactics/{tactic_id}	Returns all the techniques for the requested MITRE ATT&CK tactic in QRadar Use Case Manager.
GET: /api/mappings/numbers_by_tactic	Returns the number of MITRE ATT&CK rule mappings per tactic in QRadar Use Case Manager.
GET: /api/mappings/trends	Returns the number of MITRE ATT&CK rule mappings in QRadar Use Case Manager per day since the specified time.

Tuning findings

Endpoint	Description
GET: /api/rule/findings	Gets all the tuning findings.
GET: /api/rule/findings/{ruleId}/findingsByRuleId	Returns all tuning findings for a specific rule ID.

Example

The following example shows a request that passes the SEC token in the header.

curl -i -k -X 'POST' 'https://xxxxxx/console/plugins/app_proxy:UseCaseManager_Service/api/mappings/by_name?rule_id=234567'  -H 'accept: application/json' -H 'sec:xxxxxx'

where -H 'sec:xxxxxx' is the same SEC token that is used in QRadar Use Case Manager.