IBM Support

QRadar: How to use the Content Managment Tool (CMT) version 2

Question & Answer


Question

What is in version 2 of the content management tool (CMT v2) and how do administrators use it?

Note: Content Management tool version 2 is for QRadar versions 7.4.0 and later.

Cause

CMT v2 currently exports custom data:
  • Currently done through the API endpoint.
  • Exports are trying to export a minimum data set unless the user requests more.
  • By default, exporting each content type provides only an extension including that content type and all of its “reference_base” dependencies.
  • The export is done under the Interactive API for Developers, starting from the endpoint /config/extension_management/extension_export_tasks

Answer

 Supported Content Types:
  • Log Source Type
  • Log Source
  • Log Source Extensions
  • QID Map
  • Custom Property (Extraction-Based Properties – Regex, LEEF, CEF, JSON)
  • Custom Event Expressions (Regex and JSON)
  • Custom Rules (System, User, Override) System rule are default rules. User rules are custom rules, Override rules are modified default rules. 
Note:
  • You need Content Management Tool v1 to export Dashboards.
  • All selections for content export by using the API must be made in JSON format. The format looks similar to:
    {“export_contents””:[{“content_type”:”<content_type>”}]}
    Examples:
    Exporting a log source type with ID of 4002:
    { "export_contents": [ { "content_type": "LOG_SOURCE_TYPES", "content_item_ids": 
    ["4002"]} ] }
    
    Exporting all CUSTOM Log Source Types: 
    { "export_contents": [ { "content_type": "LOG_SOURCE_TYPES", "filters": 
    [ { "filter_name":"CUSTOM"} ] } ] }
    
    Exporting all custom Log Source Types and their non deleted Log Sources: 
    { "export_contents": [ { "content_type": "LOG_SOURCE_TYPES", "filters": 
    [ { "filter_name":"CUSTOM"} ], "related_content": [{ "content_type": "LOG_SOURCES", 
    "filters": [ { "filter_name":"NONDELETED"} ]}] } ] }
    
    Exporting AQL properties
    { "export_contents": [ { "content_type": "AQL_PROPERTIES"} ] }
    
    Exporting Custom_rules
    { "export_contents": [ { "content_type": "CUSTOM_RULES", "filters": [
    { "column": "origin", "operator": "IN", "values": [ "USER", "OVERRIDE" ] } ]}]}
    

Using the API to view data

By using the endpoint from this table, you can query data in the API that you want to export.

Content_type GET Collection endpoint for the content_type ID resource at endpoint Content Type ID
LOG_SOURCE_TYPE /config/event_sources/log_source_management/log_source_types ID 24
LOG_SOURCES /config/event_sources/log_source_management/log_sources ID 1 7
LOG_SOURCE_EXTENSIONS /config/event_sources/log_source_management/log_source_extensions    ID 16
QID_RECORDS    /data_classification/qid_records ID 27
CUSTOM_PROPERTIES /config/event_sources/custom_properties/regex_properties Identifier
REGEX_EXPRESSIONS /config/event_sources/custom_properties/property_expressions Regex_property_identifier
LEEF_EXPRESSIONS /config/event_sources/custom_properties/property_leef_expressions Regex_property_identifier
CEF_EXPRESSOINS /config/event_sources/custom_properties/property_cef_expressions Regex_property_identifier
JSON_EXPRESSIONS /config/event_sources/custom_properties/property_json_expressions Regex_property_identifier
AQL_PROPERTIES /config/event_sources/custom_properties/property_aql_expressions
CALCULATED_PROPERTIES /config/event_sources/custom_properties/calculated_properties Identifier     7
CUSTOM_RULES /analytics/rules Identifier     3

To View a content type such as Log Sources log in to the QRadar UI
  1. On the navigation menu ( Navigation menu icon ), click Interactive API for Developers.
  2. Expand config > event_sources > log_source_management > log sources.
    image 12565
  3. Click Get > Try it Out!
  4. Review the entry's in the Response Body.
    image 12567
Results
Your log source details can be viewed in the response body.
 

Procedure to export content by using CMT v2

  1. Log in to the QRadar user interface.
  2. On the navigation menu ( Navigation menu icon ), click Interactive API for Developers.
  3. Navigate to the config > Extension_management endpoint.
    image 12423
  4. Scroll to extension_export_tasks
  5. Under Parameters > configData, add the JSON string to Value.
  6. Click Try it Out!
    image 12424
  7. From Response Body, copy the task_id to a clipboard.
  8. On the API menu, scroll to extensions_task_status > status_id.
  9. Under Parameters > status_id add the task_id in the Value text box.
  10. Click Try it Out!
  11. In the Response Body, confirm the export is completed.
    image 12428
  12. Use an SCP client to log in to the Console
  13. Navigate to /store/tmp/cmt/out/ directory.
  14. Locate the .zip file for the content exported.
    sensordevicetype-20211130124233.zip
    
  15. Move the content export file to your local workstation.

    Results
    The downloaded file is exported from QRadar to your local workstation. This file can be reviewed, modified, or imported back in to the system, if required.

Restoring content exported from CMT v2

  1. Log in to the QRadar Console as an administrator.
  2. Click Admin tab > Extension Management.
  3. Click Add.
  4. Click Browse and locate the .zip file for the content exported.
  5. Check the Install Immediately box.
  6. Click Add.
    image 12431
  7. If the exported content is not signed, click Install to continue.
    image 12441
  8. Click Install.
    image 12448
  9. Click OK.
    Note: If the system detects the data import contains information with a matching name or content already on the system, a prompt is displayed to overwrite or keep the existing content. If you do not select Override, then changes are not applied when duplicate properties exist.

    Results
    The content is imported.

 

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.0;7.4.1;7.4.2;7.4.3;7.5.0"}]

Document Information

Modified date:
28 February 2022

UID

ibm16520020