IBM Support

QRadar: How to extract QID, and Low-and High Category information through the QRadar RestAPI

How To


Summary

How to extract the data on QIDs in QRadar, with their event name, description, log source type, and category through the QRadar® RestAPI?

Steps

A combination of the API calls gives you the output including:
[qid, eventName, eventDescription, lowLevelCategory, severity]

The QRadar API endpoints you need are:

GET - /data_classification/qid_records
GET - /data_classification/dsm_event_mappings
GET - /data_classification/low_level_categories

You can perform the lookup either in the CLI or on the GUI, Interactive API Documentation for Developers page.

How does one extract the High-Level Category of an event when you know the QID?

Listing all values the high_level_categories endpoint will not help you. What you can do is, to first run a lookup against endpoint qid_records.

Example: QID 64101, console IP is 10.10.218.220
QRadar 7.4.3 uses API Version 16.0 by default, and QRadar 7.5.0 uses API Version 17.0 by default.

[root@qradar ~]# curl -S -X GET -H 'SEC:<API Token>' -H 'Version: 16.0' -H 'Accept: application/json' 'https://10.10.218.220/api/data_classification/qid_records/64101'

{"severity":3,"name":"NETBIOS-DG SMB veritas WriteAndX andx bind attempt","description":"","log_source_type_id":null,"id":64101,"low_level_category_id":1003,"qid":2500104,"uuid":null}
Note the value-pair "low_level_category_id":1003 in the output.
Now you can lookup that value against endpoint low_level_categories:
[root@qradar ~]# curl -S -X GET -H 'SEC:<API Token>' -H 'Version: 16.0' -H 'Accept: application/json' 'https://10.10.218.220/api/data_classification/low_level_categories/1003'

{"severity":3,"high_level_category_id":1000,"name":"Host Query","description":"Host Query","id":1003}

Your answer is in the value-pair: "high_level_category_id":1000

You can verify the previous value (1000) with a lookup against endpoint high_level_categories:

[root@qradar ~]# curl -S -X GET -H 'SEC:<API Token>' -H 'Version: 16.0' -H 'Accept: application/json' 'https://10.10.218.220/api/data_classification/high_level_categories/1000'

{"name":"Recon","description":"Events related to scanning and other techniques used to identify network resources","id":1000}


 

Related Information

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"TS007659606","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Document Information

Modified date:
28 April 2022

UID

ibm16560132