IBM Support

QRadar: How to export saved searches results using QRadar API

How To


Summary

To export the events from a saved search in any of the supported formats: JSON, CSV, XML, or tabular text. You have to get first the Search ID (search_id) and to obtain the search_id, you need the saved_search_id. This article contains the steps by step to get this information.

Steps

 Note : The /ariel/searches/{search_id}/results endpoint works with query results that are generated by AQL query expressions. This endpoint might not work as expected for results that are generated by other means. The method in this document is intended for use with saved searches that are created with advanced search (AQL).

1. Confirm your search is saved

  a. Log in to QRadar, then to Log Activity, click Searches, select Edit Search:
     image-20220331141251-2
    b. Search for the saved search name in the Type Saved Search or Select from List bar:
     image-20220331141332-3
    c. If the search is not in the list, that means it is not saved and you need to save is with the Save Criteria option:
     image-20220331141558-4

2. How to get the Saved Search ID

   a. Open the API Page, from the QRadar main page, click the 3 lines menu, then select Interactive API for Developers:
    image-20221014125624-2
    b. Click  ariel, then saved_searches endpoint.
    c. Use the filter to get only the data for your saved search. For example, to search for the information of a saved search named Malware Events by Name, add the next filter in the filter bar (including name=):
     image-20220330104720-1
    d. Scroll down, then click Try it Out! 
    e. In the Response Body, look for your saved search and copy the ID (It is a 4-digit number):
    image-20221014131856-3

3. How to get the Search ID

   a. In the Interactive API for Developers, go to ariel, then click searches endpoint.
   b. Click POST:
    image-20221014132029-4
   c. Scroll down and in the saved_search_id field paste the saved_search_id you got from step e in the "How to get the Saved Search ID" section of this article.
   d. Click Try it Out!
   e. In the Response Body, save the value for search_id:
    image-20221014132747-6

4. How to export the results

Now that you have the search ID you can get the pull your events with GUI (Interactive API for Developers) or you can do it with CLI terminal (cURL):
From the Graphical Interface (GUI):
a. In the Interactive API for Developers, go to ariel > searches > {search_id} > results.
b. In the Response Type section, select the preferred format to export the result (JSON, CSV, table, XML):
    image-20220331144152-1
c. In the search_id field, paste the search_id taken from step number 5 of this section:
    image-20221014132945-7
d. In the Range field, you can set the range of events to show as part of the result:
    image-20220331144441-3
e. Click Try it Out!
Note:  It takes more time to display when there is a large amount of data.
f. In the Response Body, the events are displayed in the selected format.
From CLI (cURL):

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]

Document Information

Modified date:
25 April 2024

UID

ibm16540268