Question & Answer
Question
What is in version 2 of the content management tool (CMT v2) and how do administrators use it?
Note: Content Management tool version 2 is for QRadar versions 7.4.x and later.
Note: Content Management tool version 2 is for QRadar versions 7.4.x and later.
Cause
CMT v2 currently exports custom data:
- Currently, done through the API endpoint.
- Exports are trying to export a minimum data set unless the user requests more.
- By default, exporting each content type provides only an extension including that content type and all of its “reference_base” dependencies.
- The export is done under the Interactive API for Developers, starting from the endpoint /config/extension_management/extension_export_tasks.
- Both "fgroups" and "reference_data" don't have a single endpoint it pulls from, but rather a collection of more than one. This is reflected in the table under "Using the API to view data".
Answer
Supported Content Types:
- Log Source Type
- Log Source
- Log Source Extensions
- QID Map
- Custom Property (Extraction-Based Properties – Regex, LEEF, CEF, JSON, Generic List)
- Custom Event Expressions (Regex and JSON)
- Custom Rules (System, User, Override) System rule are default rules. User rules are custom rules, Override rules are modified default rules
- Reference Data
- Custom Actions
- Groups (Log Source Groups, Report Group, and Search Group)
Note:
- You need Content Management Tool v1 (CMTv1) to export Dashboards.
- "FGroups" exports only the name of the Group, not its contents. CMTv1 is best used to export the contents of a group and its related content:
/opt/qradar/bin/contentManagement.pl -a export -c 12 --id ####
- All selections for content export by using the API must be made in JSON format. The format looks similar to:
{“export_contents””:[{“content_type”:”<content_type>”}]}
Exporting a log source type with ID of 4002: { "export_contents": [ { "content_type": "LOG_SOURCE_TYPES", "content_item_ids": ["4002"]} ] } Exporting all CUSTOM Log Source Types: { "export_contents": [ { "content_type": "LOG_SOURCE_TYPES", "filters": [ { "filter_name":"CUSTOM"} ] } ] } Exporting all CUSTOM Log Source Types with just the Custom Event Mappings: { "export_contents": [ { "content_type": "LOG_SOURCE_TYPES", "filters": [ { "filter_name":"CUSTOM"} ], "related_content": [\{ "content_type": "DSM_EVENT_MAPPINGS" }] } ] } Exporting all custom Log Source Types and their non deleted Log Sources: { "export_contents": [ { "content_type": "LOG_SOURCE_TYPES", "filters": [ { "filter_name":"CUSTOM"} ], "related_content": [{ "content_type": "LOG_SOURCES", "filters": [ { "filter_name":"NONDELETED"} ]}] } ] } Exporting AQL properties { "export_contents": [ { "content_type": "AQL_PROPERTIES"} ] } Exporting Custom_rules { "export_contents": [ { "content_type": "CUSTOM_RULES", "filters": [ { "column": "origin", "operator": "IN", "values": [ "USER", "OVERRIDE" ] } ]}]} Exporting all CUSTOM Log Source Types with just the Custom Event Mappings { "export_contents": [ { "content_type": "LOG_SOURCE_TYPES", "filters": [ { "filter_name":"CUSTOM"} ], "related_content": [ { "content_type": "DSM_EVENT_MAPPINGS" }] } ] }
List of content types available and filters used in the export
Content Types:
Filters:
Operators:
- AQL_EXPRESSIONS
- AQL_PROPERTIES
- CALCULATED_EXPRESSIONS
- CALCULATED_PROPERTIES
- CEF_EXPRESSIONS
- CUSTOM_ACTIONS
- CUSTOM_FUNCTIONS
- CUSTOM_PROPERTIES
- CUSTOM_RULES
- FGROUPS
- GENERIC_LIST_EXPRESSIONS
- INSTALLED_APPLICATIONS
- JSON_EXPRESSIONS
- LEEF_EXPRESSIONS
- LOG_SOURCE_EXTENSIONS
- LOG_SOURCE_TYPES
- LOG_SOURCES
- NAME_VALUE_PAIR_EXPRESSIONS
- QID_RECORDS
- REFERENCE_DATA
- REGEX_EXPRESSIONS
- REPORTS
- SAVED_EVENT_FLOW_SEARCHES
- TAGGED_FIELDS
- XML_EXPRESSIONS
Filters:
- CUSTOM
- NONDELETED
- NONCUSTOM
Operators:
- LIKE
- ILIKE
- EQUAL
- NOT_EQUAL
- GREATER
- LOWER
- IN
- NOT_IN
- REGEX
Using the API to view data
By using the endpoint from this table, you can query data in the API that you want to export.
Content_type | GET Collection endpoint for the content_type | ID resource at endpoint Content | Type ID |
---|---|---|---|
AQL_EXPRESSIONS | /config/event_sources/custom_properties/property_aql_expressions | regex_property_identifier | 54 |
AQL_PROPERTIES | Deprecated. Now just refers to AQL_EXPRESSIONS | ||
CALCULATED_EXPRESSIONS | /config/event_sources/custom_properties/property_calculated_expressions | regex_property_identifier | 55 |
CALCULATED_PROPERTIES | /config/event_sources/custom_properties/calculated_properties | identifier | 7 |
CEF_EXPRESSIONS | /config/event_sources/custom_properties/property_cef_expressions | regex_property_identifier | 48 |
CUSTOM_ACTIONS | /analytics/custom_actions/actions | id | 78 |
CUSTOM_FUNCTIONS | /ariel/functions | n/a | 77 |
CUSTOM_PROPERTIES | /config/event_sources/custom_properties/regex_properties | identifier | 6 |
CUSTOM_RULES | /analytics/rules | identifier | 3 |
FGROUPS |
/config/event_sources/log_source_management/log_source_groups
/ariel/event_saved_search_group
/ariel/flow_saved_search_group
|
id | 12 |
GENERIC_LIST_EXPRESSIONS | /config/event_sources/custom_properties/property_genericlist_expressions | regex_property_identifier | 51 |
INSTALLED_APPLICATIONS | /config/extension_management/extensions | id | 100 |
JSON_EXPRESSIONS | /config/event_sources/custom_properties/property_json_expressions | regex_property_identifier | 47 |
LEEF_EXPRESSIONS | /config/event_sources/custom_properties/property_leef_expressions | regex_property_identifier | 49 |
LOG_SOURCE_EXTENSIONS | /config/event_sources/log_source_management/log_source_extensions | id | 16 |
LOG_SOURCE_TYPES | /config/event_sources/log_source_management/log_source_types | id | 24 |
LOG_SOURCES | /config/event_sources/log_source_management/log_sources | id | 17 |
NAME_VALUE_PAIR_EXPRESSIONS | /config/event_sources/custom_properties/property_nvp_expressions | regex_property_identifier | 52 |
QID_RECORDS | /data_classification/qid_records | id | 27 |
REFERENCE_DATA |
/reference_data/tables
/reference_data/maps
/reference_data/map_of_sets
/reference_data_collections/sets
|
collection_id
id (for sets only)
|
28 |
REGEX_EXPRESSIONS | /config/event_sources/custom_properties/property_expressions | regex_property_identifier | 9 |
REPORTS | /ariel/saved_searches (Reports are just saved searches) | id | 10 |
SAVED_EVENT_FLOW_SEARCHES | /ariel/saved_searches | id | 99 |
TAGGED_FIELDS | /ariel/taggedfields | id | 106 |
XML_EXPRESSIONS | /config/event_sources/custom_properties/property_xml_expressions | regex_property_identifier | 53 |
To View a content type such as Log Sources log in to the QRadar UI
- On the navigation menu ( ), click Interactive API for Developers.
- Expand config > event_sources > log_source_management > log sources.
- Click Get > Try it Out!
- Review the entry's in the Response Body.
Results
Your log source details can be viewed in the response body.
Your log source details can be viewed in the response body.
Procedure to export content by using CMT v2
- Log in to the QRadar user interface.
- On the navigation menu ( ), click Interactive API for Developers.
- Navigate to the config > Extension_management endpoint.
- Scroll to extension_export_tasks.
- Under Parameters > configData, add the JSON string to Value.
- Click Try it Out!
- From Response Body, copy the task_id to a clipboard.
- On the API menu, scroll to extensions_task_status > status_id.
- Under Parameters > status_id, add the task_id in the Value text box.
- Click Try it Out!
- In the Response Body, confirm the export is completed.
- Use an SCP client to log in to the Console
- Navigate to /store/tmp/cmt/out/ directory.
- Locate the .zip file for the content exported.
sensordevicetype-20211130124233.zip.
- Move the content export file to your local workstation.
Results
The downloaded file is exported from QRadar to your local workstation. This file can be reviewed, modified, or imported back in to the system, if required.
Restoring content exported from CMT v2
- Log in to the QRadar Console as an administrator.
- Click Admin tab > Extension Management.
- Click Add.
- Click Browse and locate the .zip file for the content exported.
- Check the Install Immediately box.
- Click Add.
- If the exported content is not signed, click Install to continue.
- Click Install.
- Click OK.
Note: If the system detects the data import contains information with a matching name or content already on the system, a prompt is displayed to overwrite or keep the existing content. If you do not select Override, then changes are not applied when duplicate properties exist.
Results
The content is imported.
Related Information
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.3;7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
19 December 2023
UID
ibm16520020