Modifying a QID map entry

Modify an existing user-defined IBM QRadar Identifier (QID) map entry.

About this task

Restriction:

The qidmap_cli script cannot interact with QID entries that are associated with a specific custom Log Source Type. QRadar has public APIs that can interact with QIDs in this range. The API is used as the supported mechanism for the operation. The QID map API is at /data_classification/qid_records. The API supports the GET, CREATE, and UPDATE functions. It does not support the DELETE function.

Procedure

  1. Using SSH, log in to QRadar as the root user.
  2. Type the following command:
    qidmap_cli.sh -m --qid<QID> --qname <name> --qdescription <description> 
    --severity <severity>

    The following table describes the command-line options for the QID map utility:

    Options Description
    -m Modifies an existing user-defined QID map entry.
    --qid <QID> The QID that you want to modify.
    --qname <name> The name that you want to associate with this QID map entry. The name can be up to 255 characters in length with no spaces.
    --qdescription <description> The description for this QID map entry. The description can be up to 2048 characters in length with no spaces.
    --severity <severity> The severity level that you want to assign to this QID map entry. The valid range is 0 - 10.