The QRadar API
For a full overview of the QRadar RESTful API, see the following link QRadar RESTful API Docs
To make the best use of the capabilities QRadar provides to apps, you need to use the QRadar RESTful API. With each new version of QRadar, we try to provide a more open way of interacting with QRadar through the API. Be sure to check what version of the API you are developing against and track what capabilities it has.
Call the API from within your app qpylib provides you with the easiest way to do so. The following example shows how you can use the qpylib.REST() function.
headers = {'Accept' : 'application/json', 'Content-Type' : 'application/json'}
params = {'filter':'id = ' + id}
response = qpylib.REST('GET', '/api/siem/offenses', headers=headers, params=params, version='7.0')
This example shows how a REST call into QRadar can be built for the qpylib function. The function is structured as follows:
REST(<method>, <url>, headers=<headers>, data=<data>, params=<params>, json=<json>, version=<version>)
Where the method is GET POST DELETE or PUT, the url corresponds to desired API. Headers corresponds to any required header information. Data corresponds to any required data (usually in a PUT or POST). Params corresponds to any required parameters. Json corresponds to any required json input, and the version indicates the version of the API you want to use.
Best Practices with API Calls:
- Be sure to always set the version on an API call. If it is not included the app uses the latest version, which might not be expecting the provided parameters or have output the app can not handle.
- When reading an API response, ensure that you always do so in a try catch block.
For more information
See development questions in our forum See QRadar questions in our forum