IBM Support

QRadar: How to export saved searches results using QRadar API

How To


Summary

To export the events from a saved search in any of the supported formats: JSON, CSV, XML, or tabular text. You have to get first the Search ID (search_id) and to obtain the search_id, you need the saved_search_id. This article contains the steps by step to get this information.

Steps

1. Confirm your search is saved

  a. Log in to QRadar, then to Log Activity, click Searches, select Edit Search:
     image-20220331141251-2
    b. Search for the saved search name in the Type Saved Search or Select from List bar:
     image-20220331141332-3
    c. If the search is not in the list, that means it is not saved and you need to save is with the Save Criteria option:
     image-20220331141558-4

2. How to get the Saved Search ID

   a. Open the API Page, from the QRadar main page, click the 3 lines menu, then select Interactive API for Developers:
    image-20221014125624-2
    b. Click  ariel, then saved_searches endpoint.
    c. Use the filter to get only the data for your saved search. For example, to search for the information of a saved search named Malware Events by Name, add the next filter in the filter bar (including name=):
     image-20220330104720-1
    d. Scroll down, then click Try it Out! 
    e. In the Response Body, look for your saved search and copy the ID (It is a 4-digit number):
    image-20221014131856-3

3. How to get the Search ID

   a. In the Interactive API for Developers, go to ariel, then click searches endpoint.
   b. Click POST:
    ​​​​​​​image-20221014132029-4
   c. Scroll down and in the saved_search_id field paste the saved_search_id you got from step e in the "How to get the Saved Search ID" section of this article.
   d. Click Try it Out!
   e. In the Response Body, save the value for search_id:
    ​​​​​​​​​​​​​​image-20221014132747-6

4. How to export the results

Now that you have the search ID you can get the pull your events with GUI (Interactive API for Developers) or you can do it with CLI terminal (cURL):
From the Graphical Interface (GUI):
a. In the Interactive API for Developers, go to ariel > searches > {search_id} > results.
b. In the Response Type section, select the preferred format to export the result (JSON, CSV, table, XML):
    image-20220331144152-1
c. In the search_id field, paste the search_id taken from step number 5 of this section:
    image-20221014132945-7
d. In the Range field, you can set the range of events to show as part of the result:
    image-20220331144441-3
e. Click Try it Out!
Note:  It takes more time to display when there is a large amount of data.
f. In the Response Body, the events are displayed in the selected format.
From CLI (cURL):
Note: To use curl, you need to generate an access token first, if you already have one, this token can also be used.
a. After you obtain the search ID, you can run this command to generate the export (the file search_result.xml will be created on the folder where this command is run):
curl -S -X GET -H 'SEC: 1ac95239-3a22-XXXX-XXX-XXXXX' 'Range: items=0-49' -H 'Version: 16.0' -H 'Accept: application/json' 'https://<Console IP>/api/ariel/searches/search_id/results' > search_result.xml 
SEC: It is the access token you generated.
Range: Number of records to export, you can use the number of results you want.
Version: The QRadar API version, make sure this version matches the version running on the console from where information is pulled.
Accept: It's the format in which you want to retrieve the events.
search_id: You need to replace the search_id on the URL with the saved search ID of your search.
This curl is an example of a search in insecure mode. You need to replace the search ID with your saved search ID:
Note: this command must be only run in secured environment and only as last result:
curl -S -X GET -u admin -H 'Range: items=0-49' -H 'Version: 17.0' -H 'Accept: text/table' 'https://<Console IP>/api/ariel/searches/<search_id>/results'
Range: Number of records to export, you can use the number of results you want.
Version: The QRadar API version, make sure this version matches the version running on the QRadar console from where information is pulled.
Accept: It's the format in which you want to retrieve the events.
search_id: You need to replace the search_id on the URL with the saved search ID of your search.

Document Location

Worldwide

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtEAAQ","label":"Log Activity"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]

Document Information

Modified date:
14 October 2022

UID

ibm16540268