Qradar rest api examples


  • QRadar App Boilerplate
  • A Gentle Introduction to the X-Force Exchange API
  • Getting Started with IBM QRadar and Red Hat Ansible Automation Platform
  • By consolidating log events and network flow data from thousands of devices, endpoints, users and applications distributed throughout your network, QRadar correlates all this different information and aggregates related events into single alerts to accelerate incident analysis and remediation. Ansible and QRadar, better together Ansible is the open and powerful language security teams can use to interoperate across the various security technologies involved in their day-to-day activities.

    Customers can take advantage of the IBM QRadar Content Collection to create sophisticated security workflows through the automation of the following functionalities: Log sources configuration Offense rules enablement Offense management Ansible allows security organizations to integrate QRadar into automated security processes, enabling them to automate QRadar configuration deployments in recurring situations like automated test environments, but also in large scale deployments where similar tasks have to be rolled out and managed across multiple nodes.

    Security practitioners can automate investigation activities enabling QRadar to programmatically access newdata sources. Also, they now have the ability to enable and disable correlations rules to support incident prioritization in more complex security workflows.

    Furthermore, users can leverage Ansible to change the priority of an offense, its ownership and track activities in its note field directly as part of automated processes.

    As of today, the Collection contains multiple modules and two plugins. The modules are built around the typical use cases of QRadar and follow the usage patterns of QRadar. After the installation of the collection mentioned above, we need to make sure that Ansible is capable of authenticating to QRadar. Enabling security automation use cases: investigation enrichment The real power of Red Hat Ansible Automation Platform integrating QRadar shows when we use it in typical security automation use cases.

    Doing this manual can be repetitive and time-consuming. The Ansible Content Collections developed as part of the Ansible security automation initiative can help to overcome these challenges, as we have already shown in our dedicated blog post Getting started with Ansible security automation: investigation enrichment.

    In that blog post we showed how QRadar as SIEM is a crucial part of the security environment and how Ansible automates the corresponding tasks: log sources from various systems can be automatically added or removed as needed, enabling security analysts to view information the moment they need it — and removing the logs when the investigation is done.

    Note that adding or removing log sources is usually only a part of larger automation processes supporting the security practitioners. They can also be created in advance and be part of a library of predefined automation processes ready to be consumed when needed.

    Together with Ansible Tower access to the elements of such a library can be controlled with typical enterprise governance processes like RBAC. Takeaways and going forward IBM Security QRadar helps security teams accurately detect and prioritize threats across the organization.

    Using the Ansible Content Collection for IBM QRadar, customers are able to integrate QRadar in larger security automation processes like investigation enrichment and others and automate sophisticated security workflows through the automation. As next steps there are plenty of resources to follow up on the topic: Learn where you are in your journey to security automation , and what challenges are ahead of you.

    Learn more about the Ansible Security Automation use case of the Red Hat Ansible Automation Platform If you want to see the above mentioned playbooks and setup in action, check out the corresponding video in our Youtube channel. Bookmark the permalink.

    This facility opens the vast trove of current and historical threat information that the IBM Security X-Force has collected since the s. What Is the API? The APIs fall into three rough categories: A query to retrieve an anonymous authorization token that does not require a login and another to refresh it periodically; Public queries that require only an anonymous authorization token; Authenticated queries that require an authenticated authorization token.

    This article focuses on the public queries that clients can invoke with an anonymous authentication token. This page identifies the queries and options and the data model for the JSON results. It even allows you to interactively run the queries, showing an equivalent curl command, the request URL and the response body. This offers quick query testing before enshrining them in an application. As with many Web-based applications, X-Force Exchange omits response fields that have no value in the database.

    Clients must pay attention to the Model and Model Schema tabs on the documentation page to ensure they have all the necessary fields, and they must be prepared for certain values not to exist in some responses. You can get more detailed help using the xforce-exchange tag in IBM developerWorks. What Can It Do? Excluding authorization and the TAXII interface, the public APIs fall into seven basic categories, each providing current data and some offering historical data.

    The report accounts for both current live and historical information for the domain, including the results of passive DNS monitoring by the IBM Security sensor network. Of course, the database includes many less-than-reputable applications, as well, and it offers risk assessments and categorization for each. Three queries allow clients to enumerate the IAPs, conduct full-text search for applications and retrieve the application specifics.

    These include malware samples associated with the IP address, if any. One query retrieves the reputation report for an IP address, another retrieves the reputation history and the third retrieves records of associated malware. The results include details of domain names and IP addresses associated with the malware, as well as its detected origins. For example, malware detected attached to spam or phishing emails reports the subject of the emails in addition to the origin IP address and purported origin domain.

    One query allows full-text search of the signature definitions, while the other allows clients to retrieve signature details. One retrieves the reputation and history of a URL, while the other retrieves information related to malware associated with the URL.

    The vulnerability records provide not just details on a vulnerability, but also offer links to relevant online documents and CVSS scoring with component breakdown. Full-Text Searching The queries offering full-text searching contain fulltext in their query paths. They allow you to perform case-insensitive searches for specific strings, optionally with single- and multiple-character wild cards the? They also support more powerful search syntax using the Lucene query specification.

    The API applies the search to all database fields that contain natural text, such as descriptions and titles. The Query Parser Syntax documentation at the Apache Software Foundation provides details on the search language syntax. You should pay particular attention to the Escaping Special Characters section of that document.

    In addition, the you must properly encode the search phrase so that it can form part of a valid URL. The full-text search queries return a maximum of items, so you may have to add search terms to narrow results.

    If you use the same language as one of these, you can avoid doing some of the interface work. The goxforce project provides a Go language, or Golang, library. The ibmxforceex. The xForce project brings limited support for the R programming language. The Golang library seems to cover the largest subset of the API, with the Python project a close runner-up.

    The R project focuses on analyzing and graphing risk scores for IAPs. However, those fundamentals provide plenty of examples for extending it to cover more of the API. Foundations This rest of this article covers some of the nuts and bolts of interacting with the X-Force Exchange API , in case you implement your own interface. We present only snippets and examples rather than production code.

    Since https. The examples encapsulate this operation in a function called startRequest. The caller passes in the full path for the query, including any parameters, all nicely escaped to be legal as URL components.

    The caller also passes the name of a function to process the JSON results. The startRequest function uses a global variable called xfeOptions as a template of the access parameters for https. The function makes a copy of the xfeOptions template and sets the query path using the path string argument. Then it invokes https. Upon completion, the function dissects the response with the JSON parser and passes the results to the caller-supplied function. That means that you must take care to ensure that individual response values actually exist before trying to manipulate them.

    Authorization You must acquire an anonymous authorization token before any public API queries will succeed. The startRequest function expects that the processing function saved an appropriate header in the xfeOptions structure: xfeOptions.

    You can also use the token until queries return error Not Authorized and refresh or replace the token at that time. With the token — or header, as it were — in hand, the public API opens for your business. In the discussion below, space constraints prevent full listings of the JSON results of these queries. You can use the interactive query capability of the X-Force Exchange API help page to see the full scope of the results.

    The results provide additional value over actual DNS queries by integrating information accrued passively by the IBM Security sensor network in addition to the information that the DNS system provides in a live query. The request itself uses a simple syntax, and the results mirror those of common DNS queries. For example, to retrieve information on the www.

    Each holds an array of strings expressing the values. The response may also contain an object named MX to supply mail exchange information. The MX object contains an array of objects, one for each mail exchange. Each of those objects contains fields named exchange and priority, which supply the name of mail exchange server and its priority, just as a DNS MX query would. At the time of writing this article, the example domain returned the following: A Little More Complex … I mentioned interesting results earlier, and this is when things get interesting.

    Retrieving information about malware associated with a URL or domain uses a query as simple as the previous one, but it produces more complex results.

    When writing this article, the query returned five malware samples associated with this domain, all detected between May 7, , and May 26, Apparently, during the month of May, some enterprising spammers forged the domain name on spam email. The query returns a single JSON object named malware, containing an array of one object for each malware sample associated with the domain.

    Each object contains several fields that describe the malware instance and its association with the domain. Other sources would report different type values as appropriate. The md5 object provides the MD5 hash for the sample to allow further queries in X-Force Exchange and other services. The object ip gives the IP address from which the spam message originated.

    The evidence for address forgery comes mainly by checking the IP addresses from which the spam messages were sent. Obviously any email could forge any sender address regardless of the actual sender. The five samples originated from four different IPv4 addresses: If they really originated with Schneider Electric, five samples probably would not originate from four different IPv4 addresses in widely scattered subnets.

    Further, checking those IP addresses, we find that exactly none of them have any apparent affiliation with the company or its domain name. The response JSON data contains a single object named malware, and it looks pretty simple at first. Then you notice that it contains a variety of objects that contain other objects, etc. Mimetype specifies the MIME data type that contained the malware when the sensor network detected it.

    Md5 reiterates the MD5 hash value passed in the query. The remaining response objects contain other objects. The family array provides the names of malware families in which X-Force Exchange categorizes the sample. For each family name, the familyMembers object contains a count of the number of samples of that family detected by the sensor network.

    The entries in the familyMembers array take the name of the family and contain an attribute count giving the count for that family. The emails array contains details of email messages in which the sensor network detected the malware, and the objects in the subjects array describe the subject lines of those email messages. Finally, the downloadServers array contains objects giving details of servers from which clients downloaded the malware.

    Each of these four objects contains two objects: count identifies the number of objects, and rows contains one object for each server. The objects in each rows array have different fields, determined by which of the four objects emails, subjects, CnCServers or downloadServers contains them. As previously mentioned, the API help page provides the details of all available queries, describes their results and lets you interactively test them.

    Though X-Force Exchange only rolled out a few months ago, it continues to grow both in the scope of the data it hosts and the requests it supports. As the query capabilities expand, the API help page will document the additions.

    This facility opens the vast trove of current and historical threat information that the IBM Security X-Force has collected since the s. What Is the API? The APIs fall into three rough categories: A query to retrieve an anonymous authorization token that does not require a login and another to refresh it periodically; Public queries that require only an anonymous authorization token; Authenticated queries that require an authenticated authorization token.

    This article focuses on the public queries that clients can invoke with an anonymous authentication token. This page identifies the queries and options and the data model for the JSON results. It even allows you to interactively run the queries, showing an equivalent curl command, the request URL and the response body.

    QRadar App Boilerplate

    This offers quick query testing before enshrining them in an application. As with many Web-based applications, X-Force Exchange omits response fields that have no value in the database. Clients must pay attention to the Model and Model Schema tabs on the documentation page to ensure they have all the necessary fields, and they must be prepared for certain values not to exist in some responses.

    You can get more detailed help using the xforce-exchange tag in IBM developerWorks. What Can It Do? Excluding authorization and the TAXII interface, the public APIs fall into seven basic categories, each providing current data and some offering historical data. The report accounts for both current live and historical information for the domain, including the results of passive DNS monitoring by the IBM Security sensor network.

    Of course, the database includes many less-than-reputable applications, as well, and it offers risk assessments and categorization for each. Three queries allow clients to enumerate the IAPs, conduct full-text search for applications and retrieve the application specifics. These include malware samples associated with the IP address, if any. One query retrieves the reputation report for an IP address, another retrieves the reputation history and the third retrieves records of associated malware.

    The results include details of domain names and IP addresses associated with the malware, as well as its detected origins. For example, malware detected attached to spam or phishing emails reports the subject of the emails in addition to the origin IP address and purported origin domain.

    One query allows full-text search of the signature definitions, while the other allows clients to retrieve signature details. One retrieves the reputation and history of a URL, while the other retrieves information related to malware associated with the URL. The vulnerability records provide not just details on a vulnerability, but also offer links to relevant online documents and CVSS scoring with component breakdown.

    Full-Text Searching The queries offering full-text searching contain fulltext in their query paths. They allow you to perform case-insensitive searches for specific strings, optionally with single- and multiple-character wild cards the?

    They also support more powerful search syntax using the Lucene query specification. The API applies the search to all database fields that contain natural text, such as descriptions and titles.

    A Gentle Introduction to the X-Force Exchange API

    The Query Parser Syntax documentation at the Apache Software Foundation provides details on the search language syntax.

    You should pay particular attention to the Escaping Special Characters section of that document. In addition, the you must properly encode the search phrase so that it can form part of a valid URL. The full-text search queries return a maximum of items, so you may have to add search terms to narrow results. If you use the same language as one of these, you can avoid doing some of the interface work.

    Getting Started with IBM QRadar and Red Hat Ansible Automation Platform

    The goxforce project provides a Go language, or Golang, library. The ibmxforceex. The xForce project brings limited support for the R programming language. The Golang library seems to cover the largest subset of the API, with the Python project a close runner-up. The R project focuses on analyzing and graphing risk scores for IAPs.

    However, those fundamentals provide plenty of examples for extending it to cover more of the API. Foundations This rest of this article covers some of the nuts and bolts of interacting with the X-Force Exchange APIin case you implement your own interface.

    We present only snippets and examples rather than production code. Since https. The examples encapsulate this operation in a function called startRequest.

    The caller passes in the full path for the query, including any parameters, all nicely escaped to be legal as URL components. The caller also passes the name of a function to process the JSON results. The startRequest function uses a global variable called xfeOptions as a template of the access parameters for https.

    The function makes a copy of the xfeOptions template and sets the query path using the path string argument. Ansible and QRadar, better together Ansible is the open and powerful language security teams can use to interoperate across the various security technologies involved in their day-to-day activities. Customers can take advantage of the IBM QRadar Content Collection to create sophisticated security workflows through the automation of the following functionalities: Log sources configuration Offense rules enablement Offense management Ansible allows security organizations to integrate QRadar into automated security processes, enabling them to automate QRadar configuration deployments in recurring situations like automated test environments, but also in large scale deployments where similar tasks have to be rolled out and managed across multiple nodes.

    Security practitioners can automate investigation activities enabling QRadar to programmatically access newdata sources. Also, they now have the ability to enable and disable correlations rules to support incident prioritization in more complex security workflows. Furthermore, users can leverage Ansible to change the priority of an offense, its ownership and track activities in its note field directly as part of automated processes.

    As of today, the Collection contains multiple modules and two plugins. The modules are built around the typical use cases of QRadar and follow the usage patterns of QRadar. After the installation of the collection mentioned above, we need to make sure that Ansible is capable of authenticating to QRadar. Enabling security automation use cases: investigation enrichment The real power of Red Hat Ansible Automation Platform integrating QRadar shows when we use it in typical security automation use cases.

    Doing this manual can be repetitive and time-consuming.


    Qradar rest api examples