Ingesting QRadar offense alerts by calling the REST API

To ingest QRadar® offense alerts, you can make an API call to the application’s endpoint by using the hostname or IP address of your QRadar deployment.

Before you begin

You must have an authorized service token. For more information, see Creating an authorized service token.

About this task

The endpoint supports only an HTTP GET call. It takes in a SEC header to authorize the API call.

Important: IBM tested the REST endpoint to work with 100 offenses. If you exceed this limit, you might get an application 500 error.


  1. Log in to your QRadar Suite SaaS product.
  2. From the command line or command prompt, enter the following curl command:
    curl -x socks5h://localhost:1080 --request GET 
     ‘https://<QRADAR HOST IP>/console/plugins/app_proxy:offense_results/api/offense_results’ --insecure --   header ‘SEC: <token>’
    • -x is used for a SOCK proxy, if required.
    • <QRADAR HOST IP> is the IP address of the QRadar deployment. On IBM® QRadar on Cloud, you must use the fully qualified domain name (FQDN) instead of the IP address.
    • <token> is the authorized service token that you created in Creating an authorized service token.


The REST endpoint returns the offenses that were closed since the last polling interval (in last 1 minute). It also returns offenses that received events, flows, or both and are still open since last the polling interval (in last 1 minute).