IBM Support

QRadar: How to export QIDs from QRadar



How does a user export custom QIDs from QRadar?


The organization from multiple administrators has created custom QID's. Since some of the list of what QIDs created has not been maintained or properly documented this is a way to create a list.

Resolving The Problem

A QID is a QRadar Identifier and is a numeric representation of a specific event. For example, QID #39750013 is a Login Failed event. Each QID includes a name, description, severity, and low level category.

To view QIDs from the user interface
  1. Log in to QRadar.
  2. Click the Log Activity tab.
  3. Click the Pause icon.
  4. Double-click on an event to view the detailed Event Information page.
  5. Click the Map Event button.
  6. A searchable user interface of QIDs is displayed.

To export a list of custom QIDs
To export a list of Custom QIDs:
  1. Using SSH, log in to the QRadar Console as the root user.
  2. From command line run one of the commands below.

    List of Category Types:

    /opt/qradar/bin/ -l > /tmp/Category_type_CLI.txt

    Export user created QIDs:

    TXT: /opt/qradar/bin/ -e -f /tmp/UserCreated_QID_CLI.txt

    CSV: /opt/qradar/bin/ -e -f /tmp/UserCreated_QID_CLI.csv

    Results: The file with QID information will be in /tmp
To view QIDs and the related event name:
An alternate method to view QIDs, is to use the idlist utility. This utility allows users to view existing QIDs in QRadar.
  1. Using SSH, log in to the QRadar Console as the root user.
  2. To view the full list of QIDs, type: ./opt/qradar/bin/ -e qid
  3. A list of QIDs is printed to the screen.
  4. Press Space to page down through the list of QIDs.
  5. To search the list, type /search_term and then press Enter. For example, /malware.
  6. Press q to exit the list at any time.

For more information on custom QID mapping look at QID map overview on IBM Documentation.

Where do you find more information?

[{"Product":{"code":"SSBQAC","label":"IBM QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.2","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
25 August 2022