IBM Support

QRadar: How to update an exisiting QID record using the QRadar API

How To


Summary

This article provides a step-by-step guide on how to update existing custom QID records of any Log Source Type with the QRadar API.

Steps

Important:
  • The API can update only custom QID records, system-provided QID records cannot be modified.
  • The fields from the QID record to be updated must be provided in JSON format.
  • For POST requests the user must have Admin or Saasadmin (QRadar on Cloud) permission. No permission restrictions for GET requests.
The custom QID records can be updated through the Interactive API for Developers (GUI) or CLI.

From the Graphical Interface (GUI)

Obtain the ID of the QID record to be updated:

  1. Navigate to https://<Console IP>/api_doc.
  2. Go to data_classification, then qid_records, and select GET:
    Endpoint to retrieve the QID record ID
  3. Under the filter parameter, enter the name or the QID of the record to be edited in format name="value" or qid=value:
    Obtain the ID of a QID record using the name of it.
    OR
    Obtain the ID of a QID record using the QID value.
  4. In the right pane, scroll down and click Try it Out!
  5. Retrieve the ID of the QID record:
Response body example of the API call
Update the QID record:
  1. Go to data_classification, then qid_records, and then {qid_record_id}, select POST:
    Endpoint to update the QID record
  2. Under the qid_record_id parameter, enter the ID of the QID record.
  3. The qid_record parameter is used to update the fields from the QID records, the fields to be updated must be provided in JSON format: {"field":"New value"}. To edit more than one field at a time use a coma "," to separate them: {"field1":"New value","field2":"New value"}.
    Example of parameters needed to update a QID record.
  4. In the right pane, scroll down and click Try it Out!
For a complete list of fields that can be edited refer to the endpoint response description documentation.
Results:
The QID record is updated with the new values provided. If the HTTP Response Code is other than 200, refer to endpoint response codes documentation for a complete list of response codes. If the API is still not able to update the QID record, contact QRadar Support for assistance.

From the command line (CLI)

The command cURL is used to interact with the QRadar API from the command line. To run this command, the administrator needs to generate an access token first, or use an existing one with admin or Saasadmin rights.

Obtain the ID of the QID record to be updated:
  1. Use SSH to log in to the QRadar Console as the root user.
  2. Use one of the following commands to obtain the ID of the QID record:
    Filter by name:
    curl -S -X GET -H 'Version: <latest_API_version>' -H 'SEC: <security_token>' -H 'Accept: application/json' 'https://<Console IP>/api/data_classification/qid_records?filter=name%3D%22<Name of QID Record>%22'
    Filter by QID:
    curl -S -X GET -H 'Version: <latest_API_version>' -H 'SEC: <security_token>' -H 'Accept: application/json' 'https://<Console IP>/api/data_classification/qid_records?filter=qid%3D<QID>'
    1. Version: It is the current QRadar API version, use the version of the QRadar environment used.
    2. SEC: The SEC header contains the security token.
    3. <Name of QID Record>: Replace it with the name of the QID record.
    4. <QID>: Replace it with the QID value.
Example cURL command and results:

curl -S -X GET -H 'Version: 16.0' -H 'SEC: fa4000de-cc31-XXXX-XXXX-XXXXXXXXXXXX' -H 'Accept: application/json' 'https://<Console IP>/api/data_classification/qid_records?filter=name%3D%22TestQID%22'

{"severity":4,"name":"TestQID","description":"Test QID Record","log_source_type_id":null,"id":2288865,"low_level_category_id":4015,"qid":2000088,"uuid":"ded50d1f-e898-49e5-b418-cca1372f9bdb"}
Update the QID record:
  1. Use SSH to log in to the QRadar Console as the root user.
  2. To update the QID record, copy the ID obtained from the Obtain the ID of the QID record to be updated section and run the command:
    curl -S -X POST -H 'Content-Type: application/json' -H 'Version: <latest_API_version>' -H 'SEC: <security_token>' -H 'Accept: application/json' --data-binary '{"field":"value"}' 'https://<Console IP>/api/data_classification/qid_records/<ID of QID Record>'
    1. Version: It is the current QRadar API version, use the version of the QRadar environment used.
    2. --data-binary: It is used to make reference to the fields of the QID record to be edited.
    3. <ID of QID Record>: Replace it with the ID of the QID record to be updated.
Example:
curl -S -X POST -H 'Content-Type: application/json' -H 'Version: 16.0' -H 'SEC: fa4000de-cc31-XXXX-XXXX-XXXXXXXXXXXX' -H 'Accept: application/json' --data-binary '{"name":"UpdatedQIDRecord"}' 'https://<Console IP>/api/data_classification/qid_records/2288865'
Results:
The QID record is updated with the new values provided. If the HTTP Response Code is other than 200, refer to endpoint response codes documentation for a complete list of response codes. If the API is still not able to update the QID record, contact QRadar Support for assistance.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwt0AAA","label":"Log Source"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
20 May 2022

UID

ibm16573917