Question & Answer
Question
What is in version 2 of the content management tool (CMT v2) and how do administrators use it?
Note: Content Management tool version 2 is for QRadar versions 7.4.0 and later.
Note: Content Management tool version 2 is for QRadar versions 7.4.0 and later.
Cause
CMT v2 currently exports custom data:
- Currently done through the API endpoint.
- Exports are trying to export a minimum data set unless the user requests more.
- By default, exporting each content type provides only an extension including that content type and all of its “reference_base” dependencies.
- The export is done under the Interactive API for Developers, starting from the endpoint /config/extension_management/extension_export_tasks
Answer
Supported Content Types:
- Log Source Type
- Log Source
- Log Source Extensions
- QID Map
- Custom Property (Extraction-Based Properties – Regex, LEEF, CEF, JSON)
- Custom Event Expressions (Regex and JSON)
- Custom Rules (System, User, Override) System rule are default rules. User rules are custom rules, Override rules are modified default rules.
Note:
- You need Content Management Tool v1 to export Dashboards.
- All selections for content export by using the API must be made in JSON format. The format looks similar to:
{“export_contents””:[{“content_type”:”<content_type>”}]}Examples:Exporting a log source type with ID of 4002: { "export_contents": [ { "content_type": "LOG_SOURCE_TYPES", "content_item_ids": ["4002"]} ] } Exporting all CUSTOM Log Source Types: { "export_contents": [ { "content_type": "LOG_SOURCE_TYPES", "filters": [ { "filter_name":"CUSTOM"} ] } ] } Exporting all custom Log Source Types and their non deleted Log Sources: { "export_contents": [ { "content_type": "LOG_SOURCE_TYPES", "filters": [ { "filter_name":"CUSTOM"} ], "related_content": [{ "content_type": "LOG_SOURCES", "filters": [ { "filter_name":"NONDELETED"} ]}] } ] } Exporting AQL properties { "export_contents": [ { "content_type": "AQL_PROPERTIES"} ] } Exporting Custom_rules { "export_contents": [ { "content_type": "CUSTOM_RULES", "filters": [ { "column": "origin", "operator": "IN", "values": [ "USER", "OVERRIDE" ] } ]}]}
Using the API to view data
By using the endpoint from this table, you can query data in the API that you want to export.
| Content_type | GET Collection endpoint for the content_type | ID resource at endpoint Content | Type ID |
|---|---|---|---|
| LOG_SOURCE_TYPE | /config/event_sources/log_source_management/log_source_types | ID | 24 |
| LOG_SOURCES | /config/event_sources/log_source_management/log_sources | ID | 1 7 |
| LOG_SOURCE_EXTENSIONS | /config/event_sources/log_source_management/log_source_extensions | ID | 16 |
| QID_RECORDS | /data_classification/qid_records | ID | 27 |
| CUSTOM_PROPERTIES | /config/event_sources/custom_properties/regex_properties | Identifier | |
| REGEX_EXPRESSIONS | /config/event_sources/custom_properties/property_expressions | Regex_property_identifier | |
| LEEF_EXPRESSIONS | /config/event_sources/custom_properties/property_leef_expressions | Regex_property_identifier | |
| CEF_EXPRESSOINS | /config/event_sources/custom_properties/property_cef_expressions | Regex_property_identifier | |
| JSON_EXPRESSIONS | /config/event_sources/custom_properties/property_json_expressions | Regex_property_identifier | |
| AQL_PROPERTIES | /config/event_sources/custom_properties/property_aql_expressions | ||
| CALCULATED_PROPERTIES | /config/event_sources/custom_properties/calculated_properties | Identifier | 7 |
| CUSTOM_RULES | /analytics/rules | Identifier | 3 |
To View a content type such as Log Sources log in to the QRadar UI
- On the navigation menu (
), click Interactive API for Developers. - Expand config > event_sources > log_source_management > log sources.
- Click Get > Try it Out!
- Review the entry's in the Response Body.
Results
Your log source details can be viewed in the response body.
Your log source details can be viewed in the response body.
Procedure to export content by using CMT v2
- Log in to the QRadar user interface.
- On the navigation menu ( ), click Interactive API for Developers.
- Navigate to the config > Extension_management endpoint.
- Scroll to extension_export_tasks
- Under Parameters > configData, add the JSON string to Value.
- Click Try it Out!
- From Response Body, copy the task_id to a clipboard.
- On the API menu, scroll to extensions_task_status > status_id.
- Under Parameters > status_id add the task_id in the Value text box.
- Click Try it Out!
- In the Response Body, confirm the export is completed.
- Use an SCP client to log in to the Console
- Navigate to /store/tmp/cmt/out/ directory.
- Locate the .zip file for the content exported.
sensordevicetype-20211130124233.zip - Move the content export file to your local workstation.
Results
The downloaded file is exported from QRadar to your local workstation. This file can be reviewed, modified, or imported back in to the system, if required.
Restoring content exported from CMT v2
- Log in to the QRadar Console as an administrator.
- Click Admin tab > Extension Management.
- Click Add.
- Click Browse and locate the .zip file for the content exported.
- Check the Install Immediately box.
- Click Add.
- If the exported content is not signed, click Install to continue.
- Click Install.
- Click OK.
Note: If the system detects the data import contains information with a matching name or content already on the system, a prompt is displayed to overwrite or keep the existing content. If you do not select Override, then changes are not applied when duplicate properties exist.
Results
The content is imported.
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.0;7.4.1;7.4.2;7.4.3;7.5.0"}]
Was this topic helpful?
Document Information
Modified date:
28 February 2022
UID
ibm16520020