Importing Qid map entries
Using the IBM QRadar Identifier (QID) map utility, you can import QID map entries from a .txt file.
Procedure
-
Create a .txt file that includes the user-defined QID map
entries that you want to import. Ensure that each entry in the file is
separated with a comma. Choose one of the following options:
- If you want to import a new list of user-defined QID map entries, create
the file with the following format for each
entry:
,<name>,<description>,<severity>,<category>
Example:,buffer,buffer_QID,7,18401 ,malware,malware_misc,8,18403
- If you want to import an existing list of user-defined QID map entries,
create the file with the following format for each
entry:
<qid>,<name>,<description>,<severity>
Example: 2000002,buffer,buffer_QID,7 2000001,malware,malware_misc
The following table describes the command-line options of the QID utility.
Options Description <qid> The existing QID for the entry. This option is required if you want to import an existing exported list of QID entries. To import new QID entries, do not use this option. The QID map utility assigns an identifier (QID) for each entry in the file.
--qname <name> The name that you want to associate with this QID map entry. The name can be up to 255 characters in length with no spaces. --qdescription <description> The description for this QID map entry. The description can be up to 2048 characters in length with no spaces. --severity <severity> The severity level that you want to assign to this QID map entry. The valid range is 0 - 10. --lowlevelcategoryid <ID> The low-level category ID that you want to assign to this QID map entry. This option is only necessary if you want to import a new list of QID entries.
- If you want to import a new list of user-defined QID map entries, create
the file with the following format for each
entry:
- Save and close the file.
- Using SSH, log in to QRadar as the root user:
-
To import the QID map file, type the following command:
/opt/qradar/bin/qidmap_cli.sh -i -f <filename.txt>The
<filename.txt>option is the directory path and name of the file that contains the QID map entries. If any of the entries in the file cause an error, no entries in the file are enforced.