Ingesting QRadar offense alerts by calling the REST API
To ingest QRadar® offense alerts, you can make an API call to the application’s endpoint by using the hostname or IP address of your QRadar deployment.
Before you begin
About this task
The endpoint supports only an HTTP GET call. It takes in a SEC header to authorize the API call.
- Log in to your QRadar Suite SaaS product.
- From the command line or command prompt, enter the following curl command:
curl -x socks5h://localhost:1080 --request GET ‘https://<QRADAR HOST IP>/console/plugins/app_proxy:offense_results/api/offense_results’ --insecure -- header ‘SEC: <token>’Where
-xis used for a SOCK proxy, if required.
<QRADAR HOST IP>is the IP address of the QRadar deployment. On IBM® QRadar on Cloud, you must use the fully qualified domain name (FQDN) instead of the IP address.
<token>is the authorized service token that you created in Creating an authorized service token.
The REST endpoint returns the offenses that were closed since the last polling interval (in last 1 minute). It also returns offenses that received events, flows, or both and are still open since last the polling interval (in last 1 minute).