IBM Support

QRadar: How to retrieving a list of QIDs associated with a DSM

How To


Summary

There are two ways that you can get the list of QIDs associated with a DSM. One through the QRadar API, and the other is through the Qradar Console CLI.

Steps

Using the QRadar API
 
  1. Get the log source type ID.
  2. SSH to QRadar Console CLI and login as the root user.
  3. Run the following PSQL search:
    Note: In these instructions, we are using the Log Source Linux.
    psql -U qradar -c "select id, devicetypename from sensordevicetype where devicetypename ilike '%Linux%'"
    
  4. It returned the value of the log source type ID. The output looks similar to:
    image 8336
  5. Log in to the QRadar UI as an administrator.
  6. On the navigation menu ( Navigation menu icon ), click Interactive API for Developers.
  7. Navigate to data_classification > dsm_event_mappings.
    image 8082
  8. In the second box under Parameters, add the filter log_source-type_id=XX.
    For example:  log_source_type_id=58
  9. From the CURL command, it looks similar to:
    curl -S -X GET -u admin -H 'Range: items=0-49' -H 'Version: 14.0' -H 'Accept: application/json' 'https://IP or HostName/api/data_classification/dsm_event_mappings?filter=log_source_type_id%3D58'
  10. Click the Try It Out! button.
    image 8339
  11. In, the Response Body is the list of the DMS and related QIDs.
    image 8340
Using the Qradar CLI
  1. Log in to the QRadar CLI as the root user
    Note: In these instructions, we are using the log source Linux DHCP Server.
  2. Run the following PSQL argument to search for the DSM devicetypedescription you require.
    psql -U qradar -c "select devicetypedescription from sensordevicetype where devicetypedescription ilike '%Linux%'"
    
  3. The output looks similar to:
    -------------------------
     Linux iptables Firewall
     Linux DHCP Server
     Linux OS
    (3 rows)
  4. Add the required DSM devicetypedescription to the end of the following PSQL argument:
    Note: Replace the <DESCRIPTION-HERE> with the devicetypedescription, of the PSQL argument.
    psql -U qradar -c "select e.devicetypeid AS \"ID\", sn.devicetypedescription AS \"Device Description\", e.deviceeventid AS
    \"Event ID\",q.qid AS \"QID\",e.deviceeventcategory AS \"Event Category\", q.qname AS
    \"QIDmap Name\", q.lowlevelcategory AS \"Low Level Category\", l.name_i18n_key AS \"Information Level\", 
    to_char(to_timestamp(s.serial/1000),'YYYY-MM-DD HH24:MI:SS TZ') AS \"SERIAL\",e.customevent AS \"Custom Event\" 
    from dsmevent e, qidmap q, category_type l, qidmap_serial s, sensordevicetype sn where sn.id = e.devicetypeid and 
    q.lowlevelcategory = l.id and q.qid = s.qid and e.qidmapid = q.id and  sn.devicetypedescription ='<DESCRIPTION-HERE>'"
  5. The output looks similar to:
    image 8095

Additional Information

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
10 July 2023

UID

ibm16410222