IBM Support

QRadar: How to enable or disable rules by using the QRadar API

How To


Summary

This article contains a step by step to enable or disable rules by using the QRadar API.

Steps

Enabling or disabling rules can be done through the Interactive API for Developers (GUI) or CLI:

From the graphical user interface (GUI)

  1. Open the Interactive API for Developers, navigating to:
    https://<Console_IP>/api_doc
  2. Go to analytics and select rules:
    image-20221123162402-1
  3. Scroll down to the Parameters section, add the following information:
    fields: Put the value id,name.
    filter: Put name like "%<name>%". Replace <name> with the rule name or part of the rule name to be disabled or enabled. For this example, the rule name is "TEST Article Rule".
    range: Default range value is items=0-49.
    image-20221123162633-1
  4. Click Try It Out!
  5. Scroll down to Response Body to get the rule ID. Save the id value.
    image-20221123163615-2
  6. Go to analytics, then click rules and select {id}:
    image-20221123163815-3
  7. Select POST:
    image-20221123164222-4
  8. Go to the Parameters section.
  9. Add the next information:
    id: Put rule ID.
    rule:  Put {"enabled": false} to disable the rule, or {"enabled": true} enable it.
    For this example, the rule is disabled:
    image-20221123164416-5
  10. Check the Response Body section to verify it the rule was enabled or disabled.
    The "enabled" field is the one that tells the rule status: Enabled or disabled.
    image-20221123164945-1

    Result
    The administrator can disable or enable a rule by using the Interactive API for Developers tool.

From the command line (CLI)

The command cURL is used to export the events by using the command line.

To run this command, the administrator needs to generate an access token first, or use an existing one with admin rights.

Use this command in order to enable or disable rules:
curl -S -X POST -u admin -H 'Content-Type: application/json' -H 'Version: <API_version>' -H 'Accept: application/json' --data-binary '{"enabled": <action>}' 'https://<console_IP>/api/analytics/rules/<rule_id>'
  • Version: It is the current QRadar API version, use the version of the QRadar environment used.
  • SEC: The SEC header contains the security token.
  • --data-binary: Used to enable or disable the rule, use {"enabled":  false} to disable the rule and {"enabled":  true} to enable it.
  • <rule_id>: Replace it with the rule ID. Check the From the Graphical User Interface (GUI) section in this article to get the rule ID is case this information is not available.
Command example:
curl -S -X POST -u admin -H 'Content-Type: application/json' -H 'Version: 18.0' -H 'Accept: application/json' --data-binary '{"enabled": false}' 'https://<console_IP>/api/analytics/rules/101039'

Result
The rule is disabled or enabled by using a cURL command in CLI. 

Related Information

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.3;7.5.0"}]

Document Information

Modified date:
30 November 2022

UID

ibm16838613