IBM Security QRadar

Version 7.3.0

API Guide

IBM
 Note
Before you use this information and the product that it supports, read the information in Notices on page 1725.

Product information
This document applies to IBM QRadar Security Intelligence Platform V7.3.0 and subsequent releases unless
superseded by an updated version of this document.
Copyright IBM Corporation 2014, 2017.
US Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contract
with IBM Corp.
Contents
Chapter 1. What's new for developers in RESTful APIs in QRadar V7.3.0 . . . . . . . . 1
New endpoints in more detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Deprecated endpoints in more detail . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Chapter 2. RESTful API overview . . . . . . . . . . . . . . . . . . . . . . . . . 7

Filter syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Sort syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Paging syntax . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
API error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Cross-origin resource sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Chapter 3. API command-line client . . . . . . . . . . . . . . . . . . . . . . . 21

Chapter 4. API sample code. . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Chapter 5. Accessing the interactive API documentation page . . . . . . . . . . . . 25

Chapter 6. REST API V8.0 References . . . . . . . . . . . . . . . . . . . . . . 27

Analytics endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
GET /analytics/ade_rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
GET /analytics/ade_rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
POST /analytics/ade_rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
DELETE /analytics/ade_rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . 31
GET /analytics/ade_rules/{id}/dependents . . . . . . . . . . . . . . . . . . . . . . . 32
GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . 35
GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . 36
POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . 39
GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . 42
GET /analytics/building_blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
GET /analytics/building_blocks/building_block_delete_tasks/{task_id} . . . . . . . . . . . . . . 46
GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} . . . . . . . . . . . . 47
POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} . . . . . . . . . . . . 50
GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results . . . . . . . . . . 53
GET /analytics/building_blocks/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . 55
POST /analytics/building_blocks/{id} . . . . . . . . . . . . . . . . . . . . . . . . . 57
DELETE /analytics/building_blocks/{id} . . . . . . . . . . . . . . . . . . . . . . . . 59
GET /analytics/building_blocks/{id}/dependents . . . . . . . . . . . . . . . . . . . . . 60
GET /analytics/custom_actions/actions . . . . . . . . . . . . . . . . . . . . . . . . . 63
POST /analytics/custom_actions/actions . . . . . . . . . . . . . . . . . . . . . . . . 64
GET /analytics/custom_actions/actions/{action_id} . . . . . . . . . . . . . . . . . . . . . 67
POST /analytics/custom_actions/actions/{action_id} . . . . . . . . . . . . . . . . . . . . 68
DELETE /analytics/custom_actions/actions/{action_id} . . . . . . . . . . . . . . . . . . . 70
GET /analytics/custom_actions/interpreters . . . . . . . . . . . . . . . . . . . . . . . 71
GET /analytics/custom_actions/interpreters/{interpreter_id} . . . . . . . . . . . . . . . . . . 72
GET /analytics/custom_actions/scripts . . . . . . . . . . . . . . . . . . . . . . . . . 73
POST /analytics/custom_actions/scripts . . . . . . . . . . . . . . . . . . . . . . . . 74
GET /analytics/custom_actions/scripts/{script_id} . . . . . . . . . . . . . . . . . . . . . 75
POST /analytics/custom_actions/scripts/{script_id} . . . . . . . . . . . . . . . . . . . . . 76
DELETE /analytics/custom_actions/scripts/{script_id} . . . . . . . . . . . . . . . . . . . . 78
GET /analytics/rule_groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
GET /analytics/rule_groups/{group_id}. . . . . . . . . . . . . . . . . . . . . . . . . 80
POST /analytics/rule_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . . 82
DELETE /analytics/rule_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 84
GET /analytics/rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Copyright IBM Corp. 2014, 2017 iii

 GET /analytics/rules/rule_delete_tasks/{task_id} . . . . . . . . . . . . . . .
. 86 . . . . .
GET /analytics/rules/rule_dependent_tasks/{task_id} . . . . . . . . . . . . . .
. 88 . . . . .
POST /analytics/rules/rule_dependent_tasks/{task_id} . . . . . . . . . . . . .
. 90 . . . . .
GET /analytics/rules/rule_dependent_tasks/{task_id}/results . . . . . . . . . . .
. 93 . . . . .
GET /analytics/rules/{id} . . . . . . . . . . . . . . . . . . . . . . .
. 95 . . . . .
POST /analytics/rules/{id} . . . . . . . . . . . . . . . . . . . . . . .
. 97 . . . . .
DELETE /analytics/rules/{id} . . . . . . . . . . . . . . . . . . . . . .
. 99 . . . . .
GET /analytics/rules/{id}/dependents . . . . . . . . . . . . . . . . . . . . . . . . . 100
Ariel endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
GET /ariel/databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
GET /ariel/databases/{database_name} . . . . . . . . . . . . . . . . . . . . . . . . 104
GET /ariel/event_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . . 105
GET /ariel/event_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 107
POST /ariel/event_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 108
DELETE /ariel/event_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 110
GET /ariel/flow_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . . . 111
GET /ariel/flow_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . 113
POST /ariel/flow_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 114
DELETE /ariel/flow_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 116
GET /ariel/saved_search_delete_tasks/{task_id}. . . . . . . . . . . . . . . . . . . . . . 117
GET /ariel/saved_search_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . 118
POST /ariel/saved_search_dependent_tasks/{task_id}. . . . . . . . . . . . . . . . . . . . 121
GET /ariel/saved_search_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . . 124
GET /ariel/saved_searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
GET /ariel/saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
POST /ariel/saved_searches/{id}. . . . . . . . . . . . . . . . . . . . . . . . . . . 128
DELETE /ariel/saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . 130
GET /ariel/saved_searches/{id}/dependents . . . . . . . . . . . . . . . . . . . . . . . 131
GET /ariel/searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
POST /ariel/searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
GET /ariel/searches/{search_id} . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
POST /ariel/searches/{search_id} . . . . . . . . . . . . . . . . . . . . . . . . . . 139
DELETE /ariel/searches/{search_id} . . . . . . . . . . . . . . . . . . . . . . . . . 141
GET /ariel/searches/{search_id}/results . . . . . . . . . . . . . . . . . . . . . . . . 142
Asset model endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
GET /asset_model/assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
POST /asset_model/assets/{asset_id} . . . . . . . . . . . . . . . . . . . . . . . . . 145
GET /asset_model/properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
GET /asset_model/saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . . 147
GET /asset_model/saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 149
POST /asset_model/saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . . . 151
DELETE /asset_model/saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . . 152
GET /asset_model/saved_searches . . . . . . . . . . . . . . . . . . . . . . . . . . 153
GET /asset_model/saved_searches/{saved_search_id}. . . . . . . . . . . . . . . . . . . . 155
POST /asset_model/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . . 156
DELETE /asset_model/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . 157
GET /asset_model/saved_searches/{saved_search_id}/results . . . . . . . . . . . . . . . . . 158
Authentication endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
POST /auth/logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
Configuration endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
GET /config/access/tenant_management/tenants . . . . . . . . . . . . . . . . . . . . . 160
POST /config/access/tenant_management/tenants. . . . . . . . . . . . . . . . . . . . . 162
GET /config/access/tenant_management/tenants/{tenant_id} . . . . . . . . . . . . . . . . . 163
POST /config/access/tenant_management/tenants/{tenant_id} . . . . . . . . . . . . . . . . 164
DELETE /config/access/tenant_management/tenants/{tenant_id} . . . . . . . . . . . . . . . 165
GET /config/deployment/hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
GET /config/deployment/hosts/{id} . . . . . . . . . . . . . . . . . . . . . . . . . 168
POST /config/deployment/hosts/{id} . . . . . . . . . . . . . . . . . . . . . . . . . 171
GET /config/deployment/license_pool. . . . . . . . . . . . . . . . . . . . . . . . . 174
GET /config/domain_management/domains. . . . . . . . . . . . . . . . . . . . . . . 175
POST /config/domain_management/domains . . . . . . . . . . . . . . . . . . . . . . 177

iv QRadar API Reference Guide

GET /config/domain_management/domains/{domain_id} . . . . . . . . . . . . . . . . . . 179
POST /config/domain_management/domains/{domain_id}. . . . . . . . . . . . . . . . . . 180
DELETE /config/domain_management/domains/{domain_id}. . . . . . . . . . . . . . . . . 182
GET /config/event_retention_buckets . . . . . . . . . . . . . . . . . . . . . . . . . 183
GET /config/event_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . . 185
POST /config/event_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . . 186
DELETE /config/event_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . 188
GET /config/event_sources/custom_properties/property_expressions . . . . . . . . . . . . . . 189
POST /config/event_sources/custom_properties/property_expressions . . . . . . . . . . . . . . 190
GET /config/event_sources/custom_properties/property_expressions/{expression_id} . . . . . . . . . 193
POST /config/event_sources/custom_properties/property_expressions/{expression_id} . . . . . . . . 194
DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} . . . . . . . 196
GET /config/event_sources/custom_properties/regex_properties . . . . . . . . . . . . . . . . 197
POST /config/event_sources/custom_properties/regex_properties . . . . . . . . . . . . . . . 198
GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . . 200
POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . 202
DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . 204
GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents . . . . 206
GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} . . . . . . . . 208
GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} . . . . . . . 210
POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}. . . . . . . 213
GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results . . . . 216
GET /config/extension_management/extensions . . . . . . . . . . . . . . . . . . . . . 218
POST /config/extension_management/extensions . . . . . . . . . . . . . . . . . . . . . 221
GET /config/extension_management/extensions/{extension_id} . . . . . . . . . . . . . . . . 223
POST /config/extension_management/extensions/{extension_id} . . . . . . . . . . . . . . . . 225
DELETE /config/extension_management/extensions/{extension_id} . . . . . . . . . . . . . . . 226
GET /config/extension_management/extensions_task_status/{status_id} . . . . . . . . . . . . . 228
GET /config/extension_management/extensions_task_status/{status_id}/results . . . . . . . . . . . 230
GET /config/flow_retention_buckets . . . . . . . . . . . . . . . . . . . . . . . . . 231
GET /config/flow_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . . . 233
POST /config/flow_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . . 234
DELETE /config/flow_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . 236
GET /config/flow_sources/custom_properties/property_expressions. . . . . . . . . . . . . . . 236
POST /config/flow_sources/custom_properties/property_expressions . . . . . . . . . . . . . . 238
GET /config/flow_sources/custom_properties/property_expressions/{expression_id} . . . . . . . . . 240
POST /config/flow_sources/custom_properties/property_expressions/{expression_id}. . . . . . . . . 242
DELETE /config/flow_sources/custom_properties/property_expressions/{expression_id} . . . . . . . . 244
GET /config/flow_sources/custom_properties/regex_properties . . . . . . . . . . . . . . . . 245
POST /config/flow_sources/custom_properties/regex_properties . . . . . . . . . . . . . . . . 247
GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . . 249
POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . . 250
DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . 252
GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}/dependents . . . . . 254
GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} . . . . . . . 257
POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} . . . . . . . 259
GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results . . . . . 262
GET /config/global_system_notifications . . . . . . . . . . . . . . . . . . . . . . . . 264
GET /config/global_system_notifications/{notification_id} . . . . . . . . . . . . . . . . . . 266
GET /config/network_hierarchy/networks . . . . . . . . . . . . . . . . . . . . . . . 267
GET /config/network_hierarchy/staged_networks . . . . . . . . . . . . . . . . . . . . . 268
PUT /config/network_hierarchy/staged_networks . . . . . . . . . . . . . . . . . . . . . 269
GET /config/remote_networks . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
GET /config/remote_networks/{network_id}. . . . . . . . . . . . . . . . . . . . . . . 272
GET /config/remote_services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
GET /config/remote_services/{service_id} . . . . . . . . . . . . . . . . . . . . . . . 274
GET /config/resource_restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . 275
POST /config/resource_restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . 277
GET /config/resource_restrictions/{resource_restriction_id} . . . . . . . . . . . . . . . . . . 278
DELETE /config/resource_restrictions/{resource_restriction_id} . . . . . . . . . . . . . . . . 279
PUT /config/resource_restrictions/{resource_restriction_id} . . . . . . . . . . . . . . . . . . 279

Contents v
 GET /config/store_and_forward/policies . . . . . . . . . . . . . . . . . . . . . . . . 281
GET /config/store_and_forward/policies/{id} . . . . . . . . . . . . . . . . . . . . . . 282
POST /config/store_and_forward/policies/{id} . . . . . . . . . . . . . . . . . . . . . . 284
DELETE /config/store_and_forward/policies/{id} . . . . . . . . . . . . . . . . . . . . . 285
Data classification endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
GET /data_classification/dsm_event_mappings . . . . . . . . . . . . . . . . . . . . . . 286
POST /data_classification/dsm_event_mappings . . . . . . . . . . . . . . . . . . . . . 287
GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} . . . . . . . . . . . . . 289
POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} . . . . . . . . . . . . 290
GET /data_classification/high_level_categories . . . . . . . . . . . . . . . . . . . . . . 292
GET /data_classification/high_level_categories/{high_level_category_id} . . . . . . . . . . . . . 293
GET /data_classification/low_level_categories . . . . . . . . . . . . . . . . . . . . . . 294
GET /data_classification/low_level_categories/{low_level_category_id} . . . . . . . . . . . . . . 296
GET /data_classification/qid_records . . . . . . . . . . . . . . . . . . . . . . . . . 297
POST /data_classification/qid_records . . . . . . . . . . . . . . . . . . . . . . . . . 298
GET /data_classification/qid_records/{qid_record_id}. . . . . . . . . . . . . . . . . . . . 300
POST /data_classification/qid_records/{qid_record_id} . . . . . . . . . . . . . . . . . . . 301
Forensics endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
GET /forensics/capture/recoveries . . . . . . . . . . . . . . . . . . . . . . . . . . 303
POST /forensics/capture/recoveries. . . . . . . . . . . . . . . . . . . . . . . . . . 305
GET /forensics/capture/recoveries/{id} . . . . . . . . . . . . . . . . . . . . . . . . 306
GET /forensics/capture/recovery_tasks . . . . . . . . . . . . . . . . . . . . . . . . 308
GET /forensics/capture/recovery_tasks/{id} . . . . . . . . . . . . . . . . . . . . . . . 310
GET /forensics/case_management/case_create_tasks/{id} . . . . . . . . . . . . . . . . . . 312
GET /forensics/case_management/cases . . . . . . . . . . . . . . . . . . . . . . . . 313
POST /forensics/case_management/cases . . . . . . . . . . . . . . . . . . . . . . . . 314
GET /forensics/case_management/cases/{id} . . . . . . . . . . . . . . . . . . . . . . 316
GUI application framework endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . 317
GET /gui_app_framework/application_creation_task . . . . . . . . . . . . . . . . . . . . 317
POST /gui_app_framework/application_creation_task . . . . . . . . . . . . . . . . . . . 318
GET /gui_app_framework/application_creation_task/{application_id} . . . . . . . . . . . . . . 319
POST /gui_app_framework/application_creation_task/{application_id} . . . . . . . . . . . . . . 320
GET /gui_app_framework/applications . . . . . . . . . . . . . . . . . . . . . . . . 321
GET /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . . . . 323
POST /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . . . 326
PUT /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . . . . 329
DELETE /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . . 330
GET /gui_app_framework/named_services . . . . . . . . . . . . . . . . . . . . . . . 331
GET /gui_app_framework/named_services/{uuid}. . . . . . . . . . . . . . . . . . . . . 333
Help endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
GET /help/endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
GET /help/endpoints/{endpoint_id} . . . . . . . . . . . . . . . . . . . . . . . . . 338
GET /help/resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341
GET /help/resources/{resource_id} . . . . . . . . . . . . . . . . . . . . . . . . . . 342
GET /help/versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
GET /help/versions/{version_id} . . . . . . . . . . . . . . . . . . . . . . . . . . 345
IBM Security QRadar Risk Manager endpoints . . . . . . . . . . . . . . . . . . . . . . . 346
GET /qrm/model_groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346
GET /qrm/model_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . . . 348
POST /qrm/model_groups/{group_id}. . . . . . . . . . . . . . . . . . . . . . . . . 350
DELETE /qrm/model_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . . 351
GET /qrm/qrm_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . . . 352
GET /qrm/qrm_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . 354
POST /qrm/qrm_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 355
DELETE /qrm/qrm_saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . . . 357
GET /qrm/question_groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
GET /qrm/question_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . . 360
POST /qrm/question_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . . 361
DELETE /qrm/question_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 363
GET /qrm/simulation_groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
GET /qrm/simulation_groups/{group_id}. . . . . . . . . . . . . . . . . . . . . . . . 365

vi QRadar API Reference Guide

 POST /qrm/simulation_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 367
DELETE /qrm/simulation_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . 369
GET /qrm/topology_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . 370
GET /qrm/topology_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 371
POST /qrm/topology_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 373
DELETE /qrm/topology_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 375
QRadar Vulnerability Manager endpoints . . . . . . . . . . . . . . . . . . . . . . . . . 376
GET /qvm/assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
GET /qvm/filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376
GET /qvm/network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
GET /qvm/openservices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
GET /qvm/saved_search_groups. . . . . . . . . . . . . . . . . . . . . . . . . . . 378
GET /qvm/saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . . . . . . 380
POST /qvm/saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . 382
DELETE /qvm/saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . 383
GET /qvm/saved_searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets . . . . . . . . . . . . . . . 385
GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances . . . . . . . . . . . . 387
GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities . . . . . . . . . . . . 389
GET /qvm/saved_searches/vuln_instances/{task_id}/status . . . . . . . . . . . . . . . . . 390
POST /qvm/saved_searches/vuln_instances/{task_id}/status . . . . . . . . . . . . . . . . . 391
GET /qvm/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . . . . . 393
POST /qvm/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . . . . . 394
DELETE /qvm/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . . . . 395
GET /qvm/saved_searches/{saved_search_id}/vuln_instances . . . . . . . . . . . . . . . . . 396
POST /qvm/tickets/assign . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
GET /qvm/vulns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398
Reference data endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
GET /reference_data/map_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . . 399
GET /reference_data/map_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 400
POST /reference_data/map_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 403
GET /reference_data/map_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . . 406
GET /reference_data/map_of_sets . . . . . . . . . . . . . . . . . . . . . . . . . . 408
POST /reference_data/map_of_sets . . . . . . . . . . . . . . . . . . . . . . . . . . 409
POST /reference_data/map_of_sets/bulk_load/{name} . . . . . . . . . . . . . . . . . . . 411
GET /reference_data/map_of_sets/{name} . . . . . . . . . . . . . . . . . . . . . . . 412
POST /reference_data/map_of_sets/{name} . . . . . . . . . . . . . . . . . . . . . . . 413
DELETE /reference_data/map_of_sets/{name} . . . . . . . . . . . . . . . . . . . . . . 415
GET /reference_data/map_of_sets/{name}/dependents . . . . . . . . . . . . . . . . . . . 417
DELETE /reference_data/map_of_sets/{name}/{key} . . . . . . . . . . . . . . . . . . . . 418
GET /reference_data/map_of_sets_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . 420
GET /reference_data/map_of_sets_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . 421
POST /reference_data/map_of_sets_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . 424
GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . 427
GET /reference_data/maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
POST /reference_data/maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 430
POST /reference_data/maps/bulk_load/{name}. . . . . . . . . . . . . . . . . . . . . . 431
GET /reference_data/maps/{name} . . . . . . . . . . . . . . . . . . . . . . . . . . 433
POST /reference_data/maps/{name} . . . . . . . . . . . . . . . . . . . . . . . . . 434
DELETE /reference_data/maps/{name} . . . . . . . . . . . . . . . . . . . . . . . . 436
GET /reference_data/maps/{name}/dependents . . . . . . . . . . . . . . . . . . . . . 437
DELETE /reference_data/maps/{name}/{key} . . . . . . . . . . . . . . . . . . . . . . 439
GET /reference_data/set_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . . . 440
GET /reference_data/set_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . 442
POST /reference_data/set_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . 444
GET /reference_data/set_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . . 447
GET /reference_data/sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
POST /reference_data/sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
POST /reference_data/sets/bulk_load/{name} . . . . . . . . . . . . . . . . . . . . . . 452
GET /reference_data/sets/{name} . . . . . . . . . . . . . . . . . . . . . . . . . . 453
POST /reference_data/sets/{name} . . . . . . . . . . . . . . . . . . . . . . . . . . 455

Contents vii
 DELETE /reference_data/sets/{name} . . . . . . . . . . . . . . . . . . . . . . . . . 456
DELETE /reference_data/sets/{name}/{value} . . . . . . . . . . . . . . . . . . . . . . 458
GET /reference_data/sets/{name}/dependents . . . . . . . . . . . . . . . . . . . . . . 459
GET /reference_data/tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
POST /reference_data/tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
POST /reference_data/tables/bulk_load/{name} . . . . . . . . . . . . . . . . . . . . . 463
GET /reference_data/tables/{name} . . . . . . . . . . . . . . . . . . . . . . . . . . 465
POST /reference_data/tables/{name} . . . . . . . . . . . . . . . . . . . . . . . . . 466
DELETE /reference_data/tables/{name} . . . . . . . . . . . . . . . . . . . . . . . . 468
GET /reference_data/tables/{name}/dependents . . . . . . . . . . . . . . . . . . . . . 470
DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} . . . . . . . . . . . . . . . . 471
Scanner endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
GET /scanner/profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
POST /scanner/profiles/create . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
POST /scanner/profiles/start . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
GET /scanner/scanprofiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
POST /scanner/scanprofiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476
GET /scanner/scanprofiles/{profileid} . . . . . . . . . . . . . . . . . . . . . . . . . 477
POST /scanner/scanprofiles/{profileid} . . . . . . . . . . . . . . . . . . . . . . . . 479
DELETE /scanner/scanprofiles/{profileid} . . . . . . . . . . . . . . . . . . . . . . . 480
POST /scanner/scanprofiles/{profileid}/start . . . . . . . . . . . . . . . . . . . . . . 480
Services endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
POST /services/dig_lookups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
GET /services/dig_lookups/{dig_lookup_id}. . . . . . . . . . . . . . . . . . . . . . . 482
POST /services/dns_lookups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
GET /services/dns_lookups/{dns_lookup_id} . . . . . . . . . . . . . . . . . . . . . . 485
POST /services/port_scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
GET /services/port_scans/{port_scan_id} . . . . . . . . . . . . . . . . . . . . . . . . 487
POST /services/whois_lookups . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
GET /services/whois_lookups/{whois_lookup_id} . . . . . . . . . . . . . . . . . . . . . 490
SIEM endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
GET /siem/local_destination_addresses . . . . . . . . . . . . . . . . . . . . . . . . 491
GET /siem/local_destination_addresses/{local_destination_address_id} . . . . . . . . . . . . . . 493
GET /siem/offense_closing_reasons . . . . . . . . . . . . . . . . . . . . . . . . . . 494
POST /siem/offense_closing_reasons . . . . . . . . . . . . . . . . . . . . . . . . . 495
GET /siem/offense_closing_reasons/{closing_reason_id} . . . . . . . . . . . . . . . . . . . 496
GET /siem/offense_saved_search_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 497
GET /siem/offense_saved_search_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . 499
POST /siem/offense_saved _search_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . 501
GET /siem/offense_saved _search_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . 504
GET /siem/offense_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . . 506
GET /siem/offense_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 508
POST /siem/offense_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 510
DELETE /siem/offense_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 511
GET /siem/offense_saved_searches . . . . . . . . . . . . . . . . . . . . . . . . . . 512
GET /siem/offense_saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . . 513
POST /siem/offense_saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . . 515
DELETE /siem/offense_saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . 516
GET /siem/offense_saved_searches/{id}/dependents . . . . . . . . . . . . . . . . . . . . 518
GET /siem/offenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
GET /siem/offenses/{offense_id}. . . . . . . . . . . . . . . . . . . . . . . . . . . 523
GET /siem/offenses/{offense_id}/notes . . . . . . . . . . . . . . . . . . . . . . . . 526
GET /siem/offenses/{offense_id}/notes/{note_id} . . . . . . . . . . . . . . . . . . . . . 527
POST /siem/offenses/{offense_id}/notes . . . . . . . . . . . . . . . . . . . . . . . . 528
POST /siem/offenses/{offense_id} . . . . . . . . . . . . . . . . . . . . . . . . . . 529
GET /siem/offense_types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
GET /siem/offense_types/{offense_type_id} . . . . . . . . . . . . . . . . . . . . . . . 535
GET /siem/source_addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 536
GET /siem/source_addresses/{source_address_id} . . . . . . . . . . . . . . . . . . . . . 537
Staged configuration endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . 539
GET /staged_config/deploy_status . . . . . . . . . . . . . . . . . . . . . . . . . . 539

viii QRadar API Reference Guide

 POST /staged_config/deploy_status. . . . . . . . . . . . . . . . . . . . . . . . . . 540
GET /staged_config/deployment/hosts . . . . . . . . . . . . . . . . . . . . . . . . 541
GET /staged_config/deployment/hosts/{id} . . . . . . . . . . . . . . . . . . . . . . . 544
GET /staged_config/global_system_notifications . . . . . . . . . . . . . . . . . . . . . 547
GET /staged_config/global_system_notifications/{notification_id}. . . . . . . . . . . . . . . . 548
POST /staged_config/global_system_notifications/{notification_id} . . . . . . . . . . . . . . . 549
GET /staged_config/remote_networks . . . . . . . . . . . . . . . . . . . . . . . . . 551
POST /staged_config/remote_networks . . . . . . . . . . . . . . . . . . . . . . . . 552
GET /staged_config/remote_networks/{network_id} . . . . . . . . . . . . . . . . . . . . 554
POST /staged_config/remote_networks/{network_id}. . . . . . . . . . . . . . . . . . . . 555
DELETE /staged_config/remote_networks/{network_id} . . . . . . . . . . . . . . . . . . . 556
GET /staged_config/remote_services . . . . . . . . . . . . . . . . . . . . . . . . . 557
POST /staged_config/remote_services . . . . . . . . . . . . . . . . . . . . . . . . . 558
GET /staged_config/remote_services/{service_id} . . . . . . . . . . . . . . . . . . . . . 560
POST /staged_config/remote_services/{service_id}. . . . . . . . . . . . . . . . . . . . . 561
DELETE /staged_config/remote_services/{service_id}. . . . . . . . . . . . . . . . . . . . 562
DELETE /staged_config/yara_rules . . . . . . . . . . . . . . . . . . . . . . . . . . 563
PUT /staged_config/yara_rules . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
System endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
GET /system/information/locales . . . . . . . . . . . . . . . . . . . . . . . . . . 564
GET /system/servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
GET /system/servers/{server_id} . . . . . . . . . . . . . . . . . . . . . . . . . . 567
POST /system/servers/{server_id} . . . . . . . . . . . . . . . . . . . . . . . . . . 568
GET /system/servers/{server_id}/firewall_rules . . . . . . . . . . . . . . . . . . . . . 569
PUT /system/servers/{server_id}/firewall_rules . . . . . . . . . . . . . . . . . . . . . 571
GET /system/servers/{server_id}/network_interfaces/bonded . . . . . . . . . . . . . . . . . 572
POST /system/servers/{server_id}/network_interfaces/bonded . . . . . . . . . . . . . . . . 574
POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} . . . . . . . . . . . 577
DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name} . . . . . . . . . . 579
GET /system/servers/{server_id}/network_interfaces/ethernet . . . . . . . . . . . . . . . . 580
POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} . . . . . . . . . . . 582
GET /system/servers/{server_id}/system_time_settings . . . . . . . . . . . . . . . . . . . 584
POST /system/servers/{server_id}/system_time_settings . . . . . . . . . . . . . . . . . . 585
GET /system/servers/{server_id}/timezones . . . . . . . . . . . . . . . . . . . . . . . 588

Chapter 7. Previous REST API versions . . . . . . . . . . . . . . . . . . . . . 591

REST API V7.0 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
Analytics endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
GET /analytics/ade_rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . 591
GET /analytics/ade_rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . 592
POST /analytics/ade_rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . 593
DELETE /analytics/ade_rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . 595
GET /analytics/ade_rules/{id}/dependents . . . . . . . . . . . . . . . . . . . . . . 596
GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . 599
GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} . . . . . . . . . . . . . . . 600
POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} . . . . . . . . . . . . . . . 603
GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results . . . . . . . . . . . . . 606
GET /analytics/building_blocks . . . . . . . . . . . . . . . . . . . . . . . . . . 608
GET /analytics/building_blocks/building_block_delete_tasks/{task_id} . . . . . . . . . . . . . 609
GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} . . . . . . . . . . . 611
POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} . . . . . . . . . . . 614
GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results . . . . . . . . 617
GET /analytics/building_blocks/{id} . . . . . . . . . . . . . . . . . . . . . . . . 619
POST /analytics/building_blocks/{id} . . . . . . . . . . . . . . . . . . . . . . . . 620
DELETE /analytics/building_blocks/{id} . . . . . . . . . . . . . . . . . . . . . . . 621
GET /analytics/building_blocks/{id}/dependents . . . . . . . . . . . . . . . . . . . . 623
GET /analytics/custom_actions/actions . . . . . . . . . . . . . . . . . . . . . . . 625
POST /analytics/custom_actions/actions . . . . . . . . . . . . . . . . . . . . . . . 627
GET /analytics/custom_actions/actions/{action_id} . . . . . . . . . . . . . . . . . . . 629
POST /analytics/custom_actions/actions/{action_id} . . . . . . . . . . . . . . . . . . . 630
DELETE /analytics/custom_actions/actions/{action_id} . . . . . . . . . . . . . . . . . . 633

Contents ix
 GET /analytics/custom_actions/interpreters . . . . . . . . . . . . . . . . . . . . . . 633
GET /analytics/custom_actions/interpreters/{interpreter_id} . . . . . . . . . . . . . . . . 634
GET /analytics/custom_actions/scripts . . . . . . . . . . . . . . . . . . . . . . . 635
POST /analytics/custom_actions/scripts . . . . . . . . . . . . . . . . . . . . . . . 637
GET /analytics/custom_actions/scripts/{script_id} . . . . . . . . . . . . . . . . . . . . 638
POST /analytics/custom_actions/scripts/{script_id} . . . . . . . . . . . . . . . . . . . 639
DELETE /analytics/custom_actions/scripts/{script_id} . . . . . . . . . . . . . . . . . . 640
GET /analytics/rule_groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
GET /analytics/rule_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 642
POST /analytics/rule_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 644
DELETE /analytics/rule_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . 646
GET /analytics/rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
GET /analytics/rules/rule_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . 649
GET /analytics/rules/rule_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . 650
POST /analytics/rules/rule_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . 652
GET /analytics/rules/rule_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . 655
GET /analytics/rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657
POST /analytics/rules/{id}. . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
DELETE /analytics/rules/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
GET /analytics/rules/{id}/dependents . . . . . . . . . . . . . . . . . . . . . . . . 661
Ariel endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
GET /ariel/databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664
GET /ariel/databases/{database_name} . . . . . . . . . . . . . . . . . . . . . . . 665
GET /ariel/event_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . 666
GET /ariel/event_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 668
POST /ariel/event_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 669
DELETE /ariel/event_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 671
GET /ariel/flow_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . . 672
GET /ariel/flow_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 674
POST /ariel/flow_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 675
DELETE /ariel/flow_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 677
GET /ariel/saved_search_delete_tasks/{task_id}. . . . . . . . . . . . . . . . . . . . . 678
GET /ariel/saved_search_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 679
POST /ariel/saved_search_dependent_tasks/{task_id}. . . . . . . . . . . . . . . . . . . 682
GET /ariel/saved_search_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . 685
GET /ariel/saved_searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 687
GET /ariel/saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . . . . 688
POST /ariel/saved_searches/{id}. . . . . . . . . . . . . . . . . . . . . . . . . . 689
DELETE /ariel/saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . . . 691
GET /ariel/saved_searches/{id}/dependents . . . . . . . . . . . . . . . . . . . . . . 692
GET /ariel/searches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
POST /ariel/searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696
GET /ariel/searches/{search_id} . . . . . . . . . . . . . . . . . . . . . . . . . . 698
POST /ariel/searches/{search_id} . . . . . . . . . . . . . . . . . . . . . . . . . 699
DELETE /ariel/searches/{search_id} . . . . . . . . . . . . . . . . . . . . . . . . 701
GET /ariel/searches/{search_id}/results . . . . . . . . . . . . . . . . . . . . . . . 703
Asset model endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 704
GET /asset_model/assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
POST /asset_model/assets/{asset_id} . . . . . . . . . . . . . . . . . . . . . . . . 706
GET /asset_model/properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 707
GET /asset_model/saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . 708
GET /asset_model/saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 710
POST /asset_model/saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . . 711
DELETE /asset_model/saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . 713
GET /asset_model/saved_searches . . . . . . . . . . . . . . . . . . . . . . . . . 714
GET /asset_model/saved_searches/{saved_search_id}. . . . . . . . . . . . . . . . . . . 715
POST /asset_model/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . 717
DELETE /asset_model/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . 718
GET /asset_model/saved_searches/{saved_search_id}/results . . . . . . . . . . . . . . . . 719
Authentication endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720
POST /auth/logout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721

x QRadar API Reference Guide

Configuration endpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 721
GET /config/access/tenant_management/tenants . . . . . . . . . . . . . . . . . . . . 721
POST /config/access/tenant_management/tenants. . . . . . . . . . . . . . . . . . . . 722
GET /config/access/tenant_management/tenants/{tenant_id} . . . . . . . . . . . . . . . . 723
POST /config/access/tenant_management/tenants/{tenant_id} . . . . . . . . . . . . . . . 724
DELETE /config/access/tenant_management/tenants/{tenant_id} . . . . . . . . . . . . . . 725
GET /config/domain_management/domains. . . . . . . . . . . . . . . . . . . . . . 726
POST /config/domain_management/domains . . . . . . . . . . . . . . . . . . . . . 728
GET /config/domain_management/domains/{domain_id} . . . . . . . . . . . . . . . . . 730
POST /config/domain_management/domains/{domain_id}. . . . . . . . . . . . . . . . . 731
DELETE /config/domain_management/domains/{domain_id}. . . . . . . . . . . . . . . . 733
GET /config/event_retention_buckets . . . . . . . . . . . . . . . . . . . . . . . . 734
GET /config/event_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . 736
POST /config/event_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . 737
DELETE /config/event_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . 739
GET /config/event_sources/custom_properties/property_expressions . . . . . . . . . . . . . 740
POST /config/event_sources/custom_properties/property_expressions . . . . . . . . . . . . . 741
GET /config/event_sources/custom_properties/property_expressions/{expression_id} . . . . . . . . 743
POST /config/event_sources/custom_properties/property_expressions/{expression_id} . . . . . . . 745
DELETE /config/event_sources/custom_properties/property_expressions/{expression_id} . . . . . . 747
GET /config/event_sources/custom_properties/regex_properties . . . . . . . . . . . . . . . 748
POST /config/event_sources/custom_properties/regex_properties . . . . . . . . . . . . . . 749
GET /config/event_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . 751
POST /config/event_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . 752
DELETE /config/event_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . 755
GET /config/event_sources/custom_properties/regex_properties/{regex_property_id}/dependents . . . 757
GET /config/event_sources/custom_properties/regex_property_delete_tasks/{task_id} . . . . . . . 759
GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id} . . . . . . 761
POST /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}. . . . . . 764
GET /config/event_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results . . . 767
GET /config/extension_management/extensions . . . . . . . . . . . . . . . . . . . . 769
POST /config/extension_management/extensions . . . . . . . . . . . . . . . . . . . . 772
GET /config/extension_management/extensions/{extension_id} . . . . . . . . . . . . . . . 774
POST /config/extension_management/extensions/{extension_id} . . . . . . . . . . . . . . . 776
DELETE /config/extension_management/extensions/{extension_id} . . . . . . . . . . . . . . 777
GET /config/extension_management/extensions_task_status/{status_id} . . . . . . . . . . . . 779
GET /config/extension_management/extensions_task_status/{status_id}/results . . . . . . . . . . 781
GET /config/flow_retention_buckets . . . . . . . . . . . . . . . . . . . . . . . . 782
GET /config/flow_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . . 784
POST /config/flow_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . . 785
DELETE /config/flow_retention_buckets/{id} . . . . . . . . . . . . . . . . . . . . . 787
GET /config/flow_sources/custom_properties/property_expressions. . . . . . . . . . . . . . 787
POST /config/flow_sources/custom_properties/property_expressions . . . . . . . . . . . . . 789
GET /config/flow_sources/custom_properties/property_expressions/{expression_id} . . . . . . . . 791
POST /config/flow_sources/custom_properties/property_expressions/{expression_id}. . . . . . . . 793
DELETE /config/flow_sources/custom_properties/property_expressions/{expression_id} . . . . . . . 795
GET /config/flow_sources/custom_properties/regex_properties . . . . . . . . . . . . . . . 796
POST /config/flow_sources/custom_properties/regex_properties . . . . . . . . . . . . . . . 798
GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . 800
POST /config/flow_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . . 801
DELETE /config/flow_sources/custom_properties/regex_properties/{regex_property_id} . . . . . . . 803
GET /config/flow_sources/custom_properties/regex_properties/{regex_property_id}/dependents . . . . 805
GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} . . . . . . 808
POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id} . . . . . . 810
GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/{task_id}/results . . . . 813
GET /config/global_system_notifications . . . . . . . . . . . . . . . . . . . . . . . 815
GET /config/global_system_notifications/{notification_id} . . . . . . . . . . . . . . . . . 817
GET /config/network_hierarchy/networks . . . . . . . . . . . . . . . . . . . . . . 818
GET /config/network_hierarchy/staged_networks . . . . . . . . . . . . . . . . . . . . 819
PUT /config/network_hierarchy/staged_networks . . . . . . . . . . . . . . . . . . . . 820
GET /config/resource_restrictions . . . . . . . . . . . . . . . . . . . . . . . . . 821

Contents xi
 POST /config/resource_restrictions . . . . . . . . . . . . . . . . . . . . . . . . . 822
GET /config/resource_restrictions/{resource_restriction_id} . . . . . . . . . . . . . . . . . 823
DELETE /config/resource_restrictions/{resource_restriction_id} . . . . . . . . . . . . . . . 824
PUT /config/resource_restrictions/{resource_restriction_id} . . . . . . . . . . . . . . . . . 825
GET /config/store_and_forward/policies . . . . . . . . . . . . . . . . . . . . . . . 826
GET /config/store_and_forward/policies/{id} . . . . . . . . . . . . . . . . . . . . . 828
POST /config/store_and_forward/policies/{id} . . . . . . . . . . . . . . . . . . . . . 829
DELETE /config/store_and_forward/policies/{id} . . . . . . . . . . . . . . . . . . . . 831
Data classification endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . 831
GET /data_classification/dsm_event_mappings . . . . . . . . . . . . . . . . . . . . . 831
POST /data_classification/dsm_event_mappings . . . . . . . . . . . . . . . . . . . . 833
GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} . . . . . . . . . . . . 835
POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id} . . . . . . . . . . . 836
GET /data_classification/high_level_categories . . . . . . . . . . . . . . . . . . . . . 837
GET /data_classification/high_level_categories/{high_level_category_id} . . . . . . . . . . . . 839
GET /data_classification/low_level_categories . . . . . . . . . . . . . . . . . . . . . 840
GET /data_classification/low_level_categories/{low_level_category_id} . . . . . . . . . . . . . 841
GET /data_classification/qid_records . . . . . . . . . . . . . . . . . . . . . . . . 842
POST /data_classification/qid_records . . . . . . . . . . . . . . . . . . . . . . . . 844
GET /data_classification/qid_records/{qid_record_id}. . . . . . . . . . . . . . . . . . . 846
POST /data_classification/qid_records/{qid_record_id} . . . . . . . . . . . . . . . . . . 847
Forensics endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 849
GET /forensics/capture/recoveries . . . . . . . . . . . . . . . . . . . . . . . . . 849
POST /forensics/capture/recoveries. . . . . . . . . . . . . . . . . . . . . . . . . 850
GET /forensics/capture/recoveries/{id} . . . . . . . . . . . . . . . . . . . . . . . 852
GET /forensics/capture/recovery_tasks . . . . . . . . . . . . . . . . . . . . . . . 853
GET /forensics/capture/recovery_tasks/{id} . . . . . . . . . . . . . . . . . . . . . . 855
GET /forensics/case_management/case_create_tasks/{id} . . . . . . . . . . . . . . . . . 857
GET /forensics/case_management/cases . . . . . . . . . . . . . . . . . . . . . . . 859
POST /forensics/case_management/cases . . . . . . . . . . . . . . . . . . . . . . . 860
GET /forensics/case_management/cases/{id} . . . . . . . . . . . . . . . . . . . . . 862
GUI application framework endpoints . . . . . . . . . . . . . . . . . . . . . . . . . 863
GET /gui_app_framework/application_creation_task . . . . . . . . . . . . . . . . . . . 863
POST /gui_app_framework/application_creation_task . . . . . . . . . . . . . . . . . . 863
GET /gui_app_framework/application_creation_task/{application_id} . . . . . . . . . . . . . 865
POST /gui_app_framework/application_creation_task/{application_id} . . . . . . . . . . . . . 866
GET /gui_app_framework/applications . . . . . . . . . . . . . . . . . . . . . . . 867
GET /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . . . 869
POST /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . . 872
PUT /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . . . 875
DELETE /gui_app_framework/applications/{application_id} . . . . . . . . . . . . . . . . 876
Help endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 877
GET /help/endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 877
GET /help/endpoints/{endpoint_id} . . . . . . . . . . . . . . . . . . . . . . . . 880
GET /help/resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 883
GET /help/resources/{resource_id} . . . . . . . . . . . . . . . . . . . . . . . . . 885
GET /help/versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 886
GET /help/versions/{version_id} . . . . . . . . . . . . . . . . . . . . . . . . . 887
IBM Security QRadar Risk Manager endpoints . . . . . . . . . . . . . . . . . . . . . . 888
GET /qrm/model_groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 889
GET /qrm/model_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . . 890
POST /qrm/model_groups/{group_id}. . . . . . . . . . . . . . . . . . . . . . . . 892
DELETE /qrm/model_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 894
GET /qrm/qrm_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . . . 894
GET /qrm/qrm_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 896
POST /qrm/qrm_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . 898
DELETE /qrm/qrm_saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . . 900
GET /qrm/question_groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 900
GET /qrm/question_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 902
POST /qrm/question_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . . 904
DELETE /qrm/question_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . 905

xii QRadar API Reference Guide

 GET /qrm/simulation_groups. . . . . . . . . . . . . . . . . . . . . . . . . . . 906
GET /qrm/simulation_groups/{group_id}. . . . . . . . . . . . . . . . . . . . . . . 908
POST /qrm/simulation_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . . 909
DELETE /qrm/simulation_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . 911
GET /qrm/topology_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . 912
GET /qrm/topology_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 914
POST /qrm/topology_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 915
DELETE /qrm/topology_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . 917
QRadar Vulnerability Manager endpoints . . . . . . . . . . . . . . . . . . . . . . . . 917
GET /qvm/assets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 918
GET /qvm/filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 918
GET /qvm/network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919
GET /qvm/openservices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 919
GET /qvm/saved_search_groups. . . . . . . . . . . . . . . . . . . . . . . . . . 920
GET /qvm/saved_search_groups/{group_id}. . . . . . . . . . . . . . . . . . . . . . 922
POST /qvm/saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . . 924
DELETE /qvm/saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . . . 925
GET /qvm/saved_searches. . . . . . . . . . . . . . . . . . . . . . . . . . . . 926
GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets . . . . . . . . . . . . . . 927
GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances . . . . . . . . . . . 929
GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities . . . . . . . . . . . 931
GET /qvm/saved_searches/vuln_instances/{task_id}/status . . . . . . . . . . . . . . . . 932
POST /qvm/saved_searches/vuln_instances/{task_id}/status . . . . . . . . . . . . . . . . 933
GET /qvm/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . . . . 935
POST /qvm/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . . . . 936
DELETE /qvm/saved_searches/{saved_search_id} . . . . . . . . . . . . . . . . . . . . 937
GET /qvm/saved_searches/{saved_search_id}/vuln_instances . . . . . . . . . . . . . . . . 938
POST /qvm/tickets/assign . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939
GET /qvm/vulns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 939
Reference data endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 940
GET /reference_data/map_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . 940
GET /reference_data/map_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . 942
POST /reference_data/map_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . 944
GET /reference_data/map_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . 947
GET /reference_data/map_of_sets . . . . . . . . . . . . . . . . . . . . . . . . . 949
POST /reference_data/map_of_sets . . . . . . . . . . . . . . . . . . . . . . . . . 951
POST /reference_data/map_of_sets/bulk_load/{name} . . . . . . . . . . . . . . . . . . 952
GET /reference_data/map_of_sets/{name} . . . . . . . . . . . . . . . . . . . . . . 953
POST /reference_data/map_of_sets/{name} . . . . . . . . . . . . . . . . . . . . . . 955
DELETE /reference_data/map_of_sets/{name} . . . . . . . . . . . . . . . . . . . . . 956
GET /reference_data/map_of_sets/{name}/dependents . . . . . . . . . . . . . . . . . . 958
DELETE /reference_data/map_of_sets/{name}/{key} . . . . . . . . . . . . . . . . . . . 960
GET /reference_data/map_of_sets_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . 961
GET /reference_data/map_of_sets_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . 962
POST /reference_data/map_of_sets_dependent_tasks/{task_id} . . . . . . . . . . . . . . . 965
GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results . . . . . . . . . . . . . 968
GET /reference_data/maps. . . . . . . . . . . . . . . . . . . . . . . . . . . . 970
POST /reference_data/maps . . . . . . . . . . . . . . . . . . . . . . . . . . . 971
POST /reference_data/maps/bulk_load/{name}. . . . . . . . . . . . . . . . . . . . . 973
GET /reference_data/maps/{name} . . . . . . . . . . . . . . . . . . . . . . . . . 974
POST /reference_data/maps/{name} . . . . . . . . . . . . . . . . . . . . . . . . 976
DELETE /reference_data/maps/{name} . . . . . . . . . . . . . . . . . . . . . . . 977
GET /reference_data/maps/{name}/dependents . . . . . . . . . . . . . . . . . . . . 979
DELETE /reference_data/maps/{name}/{key} . . . . . . . . . . . . . . . . . . . . . 980
GET /reference_data/set_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . . . . . 982
GET /reference_data/set_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 983
POST /reference_data/set_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . . . . 986
GET /reference_data/set_dependent_tasks/{task_id}/results . . . . . . . . . . . . . . . . 989
GET /reference_data/sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 991
POST /reference_data/sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 992
POST /reference_data/sets/bulk_load/{name} . . . . . . . . . . . . . . . . . . . . . 993

Contents xiii
 GET /reference_data/sets/{name} . . . . . . . . . . . . . . . . . . . . . . . . . 994
POST /reference_data/sets/{name} . . . . . . . . . . . . . . . . . . . . . . . . . 996
DELETE /reference_data/sets/{name} . . . . . . . . . . . . . . . . . . . . . . . . 997
DELETE /reference_data/sets/{name}/{value} . . . . . . . . . . . . . . . . . . . . . 999
GET /reference_data/sets/{name}/dependents . . . . . . . . . . . . . . . . . . . . . 1000
GET /reference_data/tables . . . . . . . . . . . . . . . . . . . . . . . . . . . 1002
POST /reference_data/tables . . . . . . . . . . . . . . . . . . . . . . . . . . . 1003
POST /reference_data/tables/bulk_load/{name} . . . . . . . . . . . . . . . . . . . . 1004
GET /reference_data/tables/{name} . . . . . . . . . . . . . . . . . . . . . . . . 1006
POST /reference_data/tables/{name} . . . . . . . . . . . . . . . . . . . . . . . . 1007
DELETE /reference_data/tables/{name} . . . . . . . . . . . . . . . . . . . . . . . 1009
GET /reference_data/tables/{name}/dependents . . . . . . . . . . . . . . . . . . . . 1011
DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} . . . . . . . . . . . . . . 1012
Scanner endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1014
GET /scanner/profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1014
POST /scanner/profiles/create . . . . . . . . . . . . . . . . . . . . . . . . . . 1014
POST /scanner/profiles/start . . . . . . . . . . . . . . . . . . . . . . . . . . 1015
GET /scanner/scanprofiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 1016
POST /scanner/scanprofiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 1017
GET /scanner/scanprofiles/{profileid} . . . . . . . . . . . . . . . . . . . . . . . 1018
POST /scanner/scanprofiles/{profileid} . . . . . . . . . . . . . . . . . . . . . . . 1020
DELETE /scanner/scanprofiles/{profileid} . . . . . . . . . . . . . . . . . . . . . . 1021
POST /scanner/scanprofiles/{profileid}/start . . . . . . . . . . . . . . . . . . . . . 1021
SIEM endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1022
GET /siem/local_destination_addresses . . . . . . . . . . . . . . . . . . . . . . . 1022
GET /siem/local_destination_addresses/{local_destination_address_id} . . . . . . . . . . . . 1024
GET /siem/offense_closing_reasons . . . . . . . . . . . . . . . . . . . . . . . . 1026
POST /siem/offense_closing_reasons . . . . . . . . . . . . . . . . . . . . . . . . 1027
GET /siem/offense_closing_reasons/{closing_reason_id} . . . . . . . . . . . . . . . . . 1028
GET /siem/offense_saved_search_delete_tasks/{task_id} . . . . . . . . . . . . . . . . . 1029
GET /siem/offense_saved_search_dependent_tasks/{task_id} . . . . . . . . . . . . . . . . 1031
POST /siem/offense_saved _search_dependent_tasks/{task_id} . . . . . . . . . . . . . . . 1033
GET /siem/offense_saved _search_dependent_tasks/{task_id}/results . . . . . . . . . . . . . 1036
GET /siem/offense_saved_search_groups . . . . . . . . . . . . . . . . . . . . . . 1038
GET /siem/offense_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 1040
POST /siem/offense_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . . 1042
DELETE /siem/offense_saved_search_groups/{group_id} . . . . . . . . . . . . . . . . . 1044
GET /siem/offense_saved_searches . . . . . . . . . . . . . . . . . . . . . . . . 1044
GET /siem/offense_saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . . 1045
POST /siem/offense_saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . . 1047
DELETE /siem/offense_saved_searches/{id} . . . . . . . . . . . . . . . . . . . . . 1048
GET /siem/offense_saved_searches/{id}/dependents . . . . . . . . . . . . . . . . . . 1050
GET /siem/offenses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1053
GET /siem/offenses/{offense_id} . . . . . . . . . . . . . . . . . . . . . . . . . 1055
GET /siem/offenses/{offense_id}/notes . . . . . . . . . . . . . . . . . . . . . . . 1058
GET /siem/offenses/{offense_id}/notes/{note_id}. . . . . . . . . . . . . . . . . . . . 1059
POST /siem/offenses/{offense_id}/notes. . . . . . . . . . . . . . . . . . . . . . . 1060
POST /siem/offenses/{offense_id} . . . . . . . . . . . . . . . . . . . . . . . . . 1061
GET /siem/offense_types . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1065
GET /siem/offense_types/{offense_type_id} . . . . . . . . . . . . . . . . . . . . . 1067
GET /siem/source_addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 1068
GET /siem/source_addresses/{source_address_id} . . . . . . . . . . . . . . . . . . . 1069
Staged configuration endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . 1071
GET /staged_config/deploy_status. . . . . . . . . . . . . . . . . . . . . . . . . 1071
POST /staged_config/deploy_status . . . . . . . . . . . . . . . . . . . . . . . . 1072
GET /staged_config/global_system_notifications . . . . . . . . . . . . . . . . . . . . 1073
GET /staged_config/global_system_notifications/{notification_id} . . . . . . . . . . . . . . 1075
POST /staged_config/global_system_notifications/{notification_id} . . . . . . . . . . . . . . 1076
DELETE /staged_config/yara_rules . . . . . . . . . . . . . . . . . . . . . . . . 1077
PUT /staged_config/yara_rules . . . . . . . . . . . . . . . . . . . . . . . . . . 1077
System endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1078

xiv QRadar API Reference Guide

 GET /system/information/locales . . . . . . . . . . . . . . . . . . . . . . . . . 1078
GET /system/servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1080
GET /system/servers/{server_id} . . . . . . . . . . . . . . . . . . . . . . . . . 1081
POST /system/servers/{server_id} . . . . . . . . . . . . . . . . . . . . . . . . . 1082
GET /system/servers/{server_id}/firewall_rules . . . . . . . . . . . . . . . . . . . . 1083
PUT /system/servers/{server_id}/firewall_rules . . . . . . . . . . . . . . . . . . . . 1085
GET /system/servers/{server_id}/network_interfaces/bonded . . . . . . . . . . . . . . . 1086
POST /system/servers/{server_id}/network_interfaces/bonded . . . . . . . . . . . . . . . 1088
POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}. . . . . . . . . . 1091
DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name}. . . . . . . . . 1094
GET /system/servers/{server_id}/network_interfaces/ethernet . . . . . . . . . . . . . . . 1095
POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} . . . . . . . . . 1096
REST API V6.0 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099
Analytics endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1099
GET /analytics/custom_actions/actions DEPRECATED . . . . . . . . . . . . . . . . . . 1099
POST /analytics/custom_actions/actions DEPRECATED . . . . . . . . . . . . . . . . . 1100
GET /analytics/custom_actions/actions/{action_id} DEPRECATED . . . . . . . . . . . . . . 1102
POST /analytics/custom_actions/actions/{action_id} DEPRECATED . . . . . . . . . . . . . 1104
DELETE /analytics/custom_actions/actions/{action_id} DEPRECATED . . . . . . . . . . . . 1106
GET /analytics/custom_actions/interpreters DEPRECATED . . . . . . . . . . . . . . . . 1107
GET /analytics/custom_actions/interpreters/{interpreter_id} DEPRECATED . . . . . . . . . . . 1108
GET /analytics/custom_actions/scripts DEPRECATED . . . . . . . . . . . . . . . . . . 1109
POST /analytics/custom_actions/scripts DEPRECATED. . . . . . . . . . . . . . . . . . 1110
GET /analytics/custom_actions/scripts/{script_id} DEPRECATED . . . . . . . . . . . . . . 1111
POST /analytics/custom_actions/scripts/{script_id} DEPRECATED . . . . . . . . . . . . . . 1112
DELETE /analytics/custom_actions/scripts/{script_id} DEPRECATED . . . . . . . . . . . . . 1113
Ariel endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1114
GET /ariel/databases DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1114
GET /ariel/databases/{database_name} DEPRECATED . . . . . . . . . . . . . . . . . . 1114
GET /ariel/searches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1116
POST /ariel/searches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1116
GET /ariel/searches/{search_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1118
POST /ariel/searches/{search_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1119
DELETE /ariel/searches/{search_id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1121
GET /ariel/searches/{search_id}/results DEPRECATED. . . . . . . . . . . . . . . . . . 1123
Asset model endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1124
GET /asset_model/assets DEPRECATED. . . . . . . . . . . . . . . . . . . . . . . 1124
POST /asset_model/assets/{asset_id} DEPRECATED. . . . . . . . . . . . . . . . . . . 1125
GET /asset_model/properties DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1126
GET /asset_model/saved_searches DEPRECATED . . . . . . . . . . . . . . . . . . . 1127
GET /asset_model/saved_searches/{saved_search_id}/results DEPRECATED . . . . . . . . . . 1129
Authentication endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1130
POST /auth/logout DEPRECATED. . . . . . . . . . . . . . . . . . . . . . . . . 1131
Configuration endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1131
GET /config/domain_management/domains DEPRECATED . . . . . . . . . . . . . . . . 1131
POST /config/domain_management/domains DEPRECATED. . . . . . . . . . . . . . . . 1133
GET /config/domain_management/domains/{domain_id} DEPRECATED . . . . . . . . . . . 1134
POST /config/domain_management/domains/{domain_id} DEPRECATED . . . . . . . . . . . 1136
DELETE /config/domain_management/domains/{domain_id} DEPRECATED . . . . . . . . . . 1137
GET /config/access/tenant_management/tenants DEPRECATED . . . . . . . . . . . . . . 1139
POST /config/access/tenant_management/tenants DEPRECATED . . . . . . . . . . . . . . 1140
GET /config/access/tenant_management/tenants/{tenant_id} DEPRECATED . . . . . . . . . . 1141
POST /config/access/tenant_management/tenants/{tenant_id} DEPRECATED . . . . . . . . . . 1142
DELETE /config/access/tenant_management/tenants/{tenant_id} DEPRECATED . . . . . . . . . 1143
GET /config/extension_management/extensions DEPRECATED . . . . . . . . . . . . . . . 1144
POST /config/extension_management/extensions DEPRECATED . . . . . . . . . . . . . . 1147
GET /config/extension_management/extensions/{extension_id} DEPRECATED. . . . . . . . . . 1149
POST /config/extension_management/extensions/{extension_id} DEPRECATED . . . . . . . . . 1151
DELETE /config/extension_management/extensions/{extension_id} DEPRECATED . . . . . . . . 1153
GET /config/extension_management/extensions_task_status/{status_id} DEPRECATED . . . . . . . 1155
GET /config/extension_management/extensions_task_status/{status_id}/results DEPRECATED . . . . 1156

Contents xv
 GUI application framework endpoints. . . . . . . . . . . . . . . . . . . . . . . . . 1158
GET /gui_app_framework/application_creation_task DEPRECATED . . . . . . . . . . . . . 1158
POST /gui_app_framework/application_creation_task DEPRECATED . . . . . . . . . . . . . 1159
GET /gui_app_framework/application_creation_task/{application_id} DEPRECATED. . . . . . . . 1160
POST /gui_app_framework/application_creation_task/{application_id} DEPRECATED . . . . . . . 1161
GET /gui_app_framework/applications DEPRECATED . . . . . . . . . . . . . . . . . . 1162
GET /gui_app_framework/applications/{application_id} DEPRECATED . . . . . . . . . . . . 1164
POST /gui_app_framework/applications/{application_id} DEPRECATED . . . . . . . . . . . . 1167
PUT /gui_app_framework/applications/{application_id} DEPRECATED . . . . . . . . . . . . 1170
DELETE /gui_app_framework/applications/{application_id} DEPRECATED . . . . . . . . . . . 1171
Help endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1172
GET /help/endpoints DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1172
GET /help/endpoints/{endpoint_id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1175
GET /help/resources DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1178
GET /help/resources/{resource_id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1180
GET /help/versions DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1181
GET /help/versions/{version_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1182
QRadar Vulnerability Manager endpoints . . . . . . . . . . . . . . . . . . . . . . . 1183
GET /qvm/assets DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . 1184
GET /qvm/filters DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . 1184
GET /qvm/network DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1185
GET /qvm/openservices DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . 1185
GET /qvm/saved_searches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1186
GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets DEPRECATED . . . . . . . . 1188
GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances DEPRECATED . . . . . 1189
GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities DEPRECATED . . . . . 1191
GET /qvm/saved_searches/vuln_instances/{task_id}/status DEPRECATED . . . . . . . . . . . 1192
GET /qvm/saved_searches/{saved_search_id} DEPRECATED. . . . . . . . . . . . . . . . 1193
GET /qvm/saved_searches/{saved_search_id}/vuln_instances DEPRECATED . . . . . . . . . . 1194
POST /qvm/tickets/assign DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1196
GET /qvm/vulns DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . 1196
Reference data endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1197
GET /reference_data/map_of_sets DEPRECATED . . . . . . . . . . . . . . . . . . . . 1197
POST /reference_data/map_of_sets DEPRECATED . . . . . . . . . . . . . . . . . . . 1198
GET /reference_data/map_of_sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . 1200
POST /reference_data/map_of_sets/{name} DEPRECATED . . . . . . . . . . . . . . . . 1201
DELETE /reference_data/map_of_sets/{name} DEPRECATED . . . . . . . . . . . . . . . 1203
GET /reference_data/map_of_sets/{name}/dependents DEPRECATED . . . . . . . . . . . . 1205
DELETE /reference_data/map_of_sets/{name}/value/{key} DEPRECATED . . . . . . . . . . . 1207
GET /reference_data/maps DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1208
POST /reference_data/maps DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1209
GET /reference_data/maps/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1211
POST /reference_data/maps/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1212
DELETE /reference_data/maps/{name} DEPRECATED . . . . . . . . . . . . . . . . . . 1213
GET /reference_data/maps/{name}/dependents DEPRECATED . . . . . . . . . . . . . . . 1215
DELETE /reference_data/maps/{name}/value/{key} DEPRECATED . . . . . . . . . . . . . 1217
GET /reference_data/sets DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1218
POST /reference_data/sets DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1220
GET /reference_data/sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1221
POST /reference_data/sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1222
DELETE /reference_data/sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . . 1224
GET /reference_data/sets/{name}/dependents DEPRECATED . . . . . . . . . . . . . . . 1226
DELETE /reference_data/sets/{name}/value/{value} DEPRECATED . . . . . . . . . . . . . 1227
POST /reference_data/sets/bulk_load/{name} DEPRECATED . . . . . . . . . . . . . . . 1229
GET /reference_data/tables DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1230
POST /reference_data/tables DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1231
GET /reference_data/tables/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1232
POST /reference_data/tables/{name} DEPRECATED. . . . . . . . . . . . . . . . . . . 1234
DELETE /reference_data/tables/{name} DEPRECATED . . . . . . . . . . . . . . . . . . 1235
GET /reference_data/tables/{name}/dependents DEPRECATED . . . . . . . . . . . . . . . 1237
DELETE /reference_data/tables/{name}/value/{outer_key}/{inner_key} DEPRECATED . . . . . . . 1239

xvi QRadar API Reference Guide

 Scanner endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1241
GET /scanner/profiles DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . 1241
POST /scanner/profiles/create DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1241
POST /scanner/profiles/start DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1242
GET /scanner/scanprofiles DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1243
POST /scanner/scanprofiles DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1244
GET /scanner/scanprofiles/{profileid} DEPRECATED . . . . . . . . . . . . . . . . . . 1245
POST /scanner/scanprofiles/{profileid} DEPRECATED . . . . . . . . . . . . . . . . . . 1247
DELETE /scanner/scanprofiles/{profileid} DEPRECATED . . . . . . . . . . . . . . . . . 1248
POST /scanner/scanprofiles/{profileid}/start DEPRECATED . . . . . . . . . . . . . . . . 1248
SIEM endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1249
GET /siem/local_destination_addresses DEPRECATED . . . . . . . . . . . . . . . . . . 1249
GET /siem/local_destination_addresses/{local_destination_address_id} DEPRECATED . . . . . . . 1251
GET /siem/offense_closing_reasons DEPRECATED . . . . . . . . . . . . . . . . . . . 1253
POST /siem/offense_closing_reasons DEPRECATED . . . . . . . . . . . . . . . . . . . 1254
GET /siem/offense_closing_reasons/{closing_reason_id} DEPRECATED . . . . . . . . . . . . 1255
GET /siem/offense_types DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1256
GET /siem/offense_types/{offense_type_id} DEPRECATED . . . . . . . . . . . . . . . . 1258
GET /siem/offenses DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1259
GET /siem/offenses/{offense_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1262
POST /siem/offenses/{offense_id} DEPRECATED. . . . . . . . . . . . . . . . . . . . 1264
GET /siem/offenses/{offense_id}/notes DEPRECATED . . . . . . . . . . . . . . . . . . 1268
POST /siem/offenses/{offense_id}/notes DEPRECATED . . . . . . . . . . . . . . . . . 1269
GET /siem/offenses/{offense_id}/notes/{note_id} DEPRECATED . . . . . . . . . . . . . . 1270
GET /siem/source_addresses DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1272
GET /siem/source_addresses/{source_address_id} DEPRECATED . . . . . . . . . . . . . . 1273
System endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1274
GET /system/servers DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1275
GET /system/servers/{server_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1276
POST /system/servers/{server_id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1277
GET /system/servers/{server_id}/firewall_rules DEPRECATED . . . . . . . . . . . . . . . 1278
PUT /system/servers/{server_id}/firewall_rules DEPRECATED . . . . . . . . . . . . . . . 1279
GET /system/servers/{server_id}/network_interfaces/ethernet DEPRECATED . . . . . . . . . . 1281
POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} DEPRECATED . . . . 1282
GET /system/servers/{server_id}/network_interfaces/bonded DEPRECATED . . . . . . . . . . 1285
POST /system/servers/{server_id}/network_interfaces/bonded DEPRECATED . . . . . . . . . . 1287
POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} DEPRECATED . . . . 1290
DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name} DEPRECATED . . . 1293
REST API V5.1 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1294
Analytics endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1294
GET /analytics/custom_actions/actions DEPRECATED . . . . . . . . . . . . . . . . . . 1294
POST /analytics/custom_actions/actions DEPRECATED . . . . . . . . . . . . . . . . . 1295
GET /analytics/custom_actions/interpreters DEPRECATED . . . . . . . . . . . . . . . . 1297
GET /analytics/custom_actions/interpreters/{interpreter_id} DEPRECATED . . . . . . . . . . . 1299
GET /analytics/custom_actions/scripts DEPRECATED . . . . . . . . . . . . . . . . . . 1300
POST /analytics/custom_actions/scripts DEPRECATED . . . . . . . . . . . . . . . . . 1301
GET /analytics/custom_actions/actions/{action_id} DEPRECATED . . . . . . . . . . . . . . 1302
POST /analytics/custom_actions/actions/{action_id} DEPRECATED . . . . . . . . . . . . . 1303
DELETE /analytics/custom_actions/actions/{action_id} DEPRECATED . . . . . . . . . . . . 1305
GET /analytics/custom_actions/scripts/{script_id} DEPRECATED . . . . . . . . . . . . . . 1306
POST /analytics/custom_actions/scripts/{script_id} DEPRECATED. . . . . . . . . . . . . . 1307
DELETE /analytics/custom_actions/scripts/{script_id} DEPRECATED . . . . . . . . . . . . . 1308
Ariel endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1309
GET /ariel/databases DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1309
GET /ariel/databases/{database_name} DEPRECATED . . . . . . . . . . . . . . . . . . 1309
GET /ariel/searches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1311
POST /ariel/searches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1312
GET /ariel/searches/{search_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1313
POST /ariel/searches/{search_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1315
DELETE /ariel/searches/{search_id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1316
GET /ariel/searches/{search_id}/results DEPRECATED. . . . . . . . . . . . . . . . . . 1318

Contents xvii
 Asset model endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1319
GET /asset_model/assets DEPRECATED. . . . . . . . . . . . . . . . . . . . . . . 1319
POST /asset_model/assets/{asset_id} DEPRECATED . . . . . . . . . . . . . . . . . . 1320
GET /asset_model/properties DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1321
GET /asset_model/saved_searches DEPRECATED . . . . . . . . . . . . . . . . . . . 1322
GET /asset_model/saved_searches/{saved_search_id}/results DEPRECATED . . . . . . . . . . 1324
Authentication endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1325
POST /auth/logout DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1326
Configuration endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1326
GET /config/domain_management/domains DEPRECATED . . . . . . . . . . . . . . . . 1326
POST /config/domain_management/domains DEPRECATED . . . . . . . . . . . . . . . 1328
GET /config/domain_management/domains/{domain_id} DEPRECATED . . . . . . . . . . . 1329
POST /config/domain_management/domains/{domain_id} DEPRECATED . . . . . . . . . . . 1331
DELETE /config/domain_management/domains/{domain_id} DEPRECATED . . . . . . . . . . 1332
GET /config/access/tenant_management/tenants DEPRECATED . . . . . . . . . . . . . . 1334
POST /config/access/tenant_management/tenants DEPRECATED . . . . . . . . . . . . . . 1335
GET /config/access/tenant_management/tenants/{tenant_id} DEPRECATED . . . . . . . . . . 1336
POST /config/access/tenant_management/tenants/{tenant_id} DEPRECATED . . . . . . . . . . 1337
DELETE /config/access/tenant_management/tenants/{tenant_id} DEPRECATED . . . . . . . . . 1338
GET /config/extension_management/extensions DEPRECATED . . . . . . . . . . . . . . . 1339
POST /config/extension_management/extensions DEPRECATED . . . . . . . . . . . . . . 1342
GET /config/extension_management/extensions/{extension_id} DEPRECATED . . . . . . . . . 1344
POST /config/extension_management/extensions/{extension_id} DEPRECATED . . . . . . . . . 1346
DELETE /config/extension_management/extensions/{extension_id} DEPRECATED . . . . . . . . 1348
GET /config/extension_management/extensions_task_status/{status_id} DEPRECATED . . . . . . . 1350
GET /config/extension_management/extensions_task_status/{status_id}/results DEPRECATED . . . . 1351
GUI application framework endpoints. . . . . . . . . . . . . . . . . . . . . . . . . 1353
GET /gui_app_framework/application_creation_task DEPRECATED . . . . . . . . . . . . . 1353
POST /gui_app_framework/application_creation_task DEPRECATED . . . . . . . . . . . . . 1354
GET /gui_app_framework/application_creation_task/{application_id} DEPRECATED. . . . . . . . 1355
POST /gui_app_framework/application_creation_task/{application_id} DEPRECATED . . . . . . . 1356
GET /gui_app_framework/applications DEPRECATED . . . . . . . . . . . . . . . . . . 1357
GET /gui_app_framework/applications/{application_id} DEPRECATED . . . . . . . . . . . . 1359
POST /gui_app_framework/applications/{application_id} DEPRECATED. . . . . . . . . . . . 1362
PUT /gui_app_framework/applications/{application_id} DEPRECATED . . . . . . . . . . . . 1365
DELETE /gui_app_framework/applications/{application_id} DEPRECATED. . . . . . . . . . . 1366
Help endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1367
GET /help/capabilities DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . 1367
QRadar Vulnerability Manager endpoints . . . . . . . . . . . . . . . . . . . . . . . 1369
GET /qvm/assets DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . 1369
GET /qvm/filters DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . 1370
GET /qvm/network DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1371
GET /qvm/openservices DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . 1371
GET /qvm/savedsearches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1372
POST /qvm/tickets/assign DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1373
GET /qvm/vulninstances DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1373
GET /qvm/vulns DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . 1374
Reference data endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1375
GET /reference_data/map_of_sets DEPRECATED. . . . . . . . . . . . . . . . . . . . 1375
POST /reference_data/map_of_sets DEPRECATED . . . . . . . . . . . . . . . . . . . 1376
GET /reference_data/map_of_sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . 1378
POST /reference_data/map_of_sets/{name} DEPRECATED . . . . . . . . . . . . . . . . 1379
DELETE /reference_data/map_of_sets/{name} DEPRECATED . . . . . . . . . . . . . . . 1380
GET /reference_data/map_of_sets/{name}/dependents DEPRECATED . . . . . . . . . . . . 1382
DELETE /reference_data/map_of_sets/{name}/value/{key} DEPRECATED . . . . . . . . . . . 1384
GET /reference_data/maps DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1386
POST /reference_data/maps DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1387
GET /reference_data/maps/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1388
POST /reference_data/maps/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1390
DELETE /reference_data/maps/{name} DEPRECATED . . . . . . . . . . . . . . . . . . 1391
GET /reference_data/maps/{name}/dependents DEPRECATED . . . . . . . . . . . . . . . 1393

xviii QRadar API Reference Guide

 DELETE /reference_data/maps/{name}/value/{key} DEPRECATED . . . . . . . . . . . . . 1395
GET /reference_data/sets DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1396
POST /reference_data/sets DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1397
GET /reference_data/sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1399
POST /reference_data/sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1400
DELETE /reference_data/sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . . 1401
GET /reference_data/sets/{name}/dependents DEPRECATED . . . . . . . . . . . . . . . 1403
DELETE /reference_data/sets/{name}/value/{value} DEPRECATED . . . . . . . . . . . . . 1405
POST /reference_data/sets/bulk_load/{name} DEPRECATED . . . . . . . . . . . . . . . 1406
GET /reference_data/tables DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1408
POST /reference_data/tables DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1409
GET /reference_data/tables/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1410
POST /reference_data/tables/{name} DEPRECATED. . . . . . . . . . . . . . . . . . . 1412
DELETE /reference_data/tables/{name} DEPRECATED . . . . . . . . . . . . . . . . . . 1413
GET /reference_data/tables/{name}/dependents DEPRECATED . . . . . . . . . . . . . . . 1415
DELETE /reference_data/tables/{name}/value/{outer_key}/{inner_key} DEPRECATED . . . . . . . 1417
Scanner endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1419
GET /scanner/profiles DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . 1419
POST /scanner/profiles/create DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1419
POST /scanner/profiles/start DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1420
GET /scanner/scanprofiles DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1421
POST /scanner/scanprofiles DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1422
GET /scanner/scanprofiles/{profileid} DEPRECATED . . . . . . . . . . . . . . . . . . 1423
POST /scanner/scanprofiles/{profileid} DEPRECATED . . . . . . . . . . . . . . . . . . 1425
DELETE /scanner/scanprofiles/{profileid} DEPRECATED . . . . . . . . . . . . . . . . . 1426
POST /scanner/scanprofiles/{profileid}/start DEPRECATED . . . . . . . . . . . . . . . . 1426
SIEM endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1427
GET /siem/local_destination_addresses DEPRECATED . . . . . . . . . . . . . . . . . . 1427
GET /siem/local_destination_addresses/{local_destination_address_id} DEPRECATED . . . . . . . 1429
GET /siem/offense_closing_reasons DEPRECATED . . . . . . . . . . . . . . . . . . . 1431
POST /siem/offense_closing_reasons DEPRECATED . . . . . . . . . . . . . . . . . . . 1432
GET /siem/offense_closing_reasons/{closing_reason_id} DEPRECATED . . . . . . . . . . . . 1433
GET /siem/offenses DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1434
GET /siem/offenses/{offense_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1437
POST /siem/offenses/{offense_id} DEPRECATED. . . . . . . . . . . . . . . . . . . . 1441
GET /siem/offenses/{offense_id}/notes DEPRECATED . . . . . . . . . . . . . . . . . . 1444
POST /siem/offenses/{offense_id}/notes DEPRECATED . . . . . . . . . . . . . . . . . 1445
GET /siem/offenses/{offense_id}/notes/{note_id} DEPRECATED . . . . . . . . . . . . . . 1446
GET /siem/source_addresses DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1448
GET /siem/source_addresses/{source_address_id} DEPRECATED . . . . . . . . . . . . . . 1449
System endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1450
GET /system/servers DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1451
GET /system/servers/{server_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1452
POST /system/servers/{server_id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1453
GET /system/servers/{server_id}/firewall_rules DEPRECATED . . . . . . . . . . . . . . . 1454
PUT /system/servers/{server_id}/firewall_rules DEPRECATED . . . . . . . . . . . . . . . 1455
GET /system/servers/{server_id}/network_interfaces/ethernet DEPRECATED . . . . . . . . . . 1457
POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} DEPRECATED . . . . 1458
GET /system/servers/{server_id}/network_interfaces/bonded DEPRECATED . . . . . . . . . . 1460
POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} DEPRECATED . . . . 1463
REST API V5.0 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1465
Analytics endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1465
GET /analytics/custom_actions/actions DEPRECATED . . . . . . . . . . . . . . . . . . 1465
POST /analytics/custom_actions/actions DEPRECATED . . . . . . . . . . . . . . . . . 1466
GET /analytics/custom_actions/interpreters DEPRECATED . . . . . . . . . . . . . . . . 1468
GET /analytics/custom_actions/interpreters/{interpreter_id} DEPRECATED . . . . . . . . . . . 1470
GET /analytics/custom_actions/scripts DEPRECATED . . . . . . . . . . . . . . . . . . 1471
POST /analytics/custom_actions/scripts DEPRECATED . . . . . . . . . . . . . . . . . 1472
GET /analytics/custom_actions/actions/{action_id} DEPRECATED . . . . . . . . . . . . . . 1473
POST /analytics/custom_actions/actions/{action_id} DEPRECATED . . . . . . . . . . . . . 1474
DELETE /analytics/custom_actions/actions/{action_id} DEPRECATED . . . . . . . . . . . . 1476

Contents xix
 GET /analytics/custom_actions/scripts/{script_id} DEPRECATED . . . . . . . . . . . . . . 1477
POST /analytics/custom_actions/scripts/{script_id} DEPRECATED. . . . . . . . . . . . . . 1478
DELETE /analytics/custom_actions/scripts/{script_id} DEPRECATED . . . . . . . . . . . . . 1479
Ariel endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1480
GET /ariel/databases DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1480
GET /ariel/databases/{database_name} DEPRECATED . . . . . . . . . . . . . . . . . . 1480
GET /ariel/searches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1482
POST /ariel/searches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1483
GET /ariel/searches/{search_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1484
POST /ariel/searches/{search_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1486
DELETE /ariel/searches/{search_id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1487
GET /ariel/searches/{search_id}/results DEPRECATED. . . . . . . . . . . . . . . . . . 1489
Asset model endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1490
GET /asset_model/assets DEPRECATED. . . . . . . . . . . . . . . . . . . . . . . 1490
POST /asset_model/assets/{asset_id} DEPRECATED . . . . . . . . . . . . . . . . . . 1491
GET /asset_model/properties DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1492
GET /asset_model/saved_searches DEPRECATED . . . . . . . . . . . . . . . . . . . 1493
GET /asset_model/saved_searches/{saved_search_id}/results DEPRECATED . . . . . . . . . . 1495
Authentication endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1496
POST /auth/logout DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1497
Configuration endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1497
GET /config/domain_management/domains DEPRECATED . . . . . . . . . . . . . . . . 1497
POST /config/domain_management/domains DEPRECATED . . . . . . . . . . . . . . . 1499
GET /config/domain_management/domains/{domain_id} DEPRECATED . . . . . . . . . . . 1500
POST /config/domain_management/domains/{domain_id} DEPRECATED . . . . . . . . . . . 1502
DELETE /config/domain_management/domains/{domain_id} DEPRECATED . . . . . . . . . . 1503
GET /config/access/tenant_management/tenants DEPRECATED . . . . . . . . . . . . . . 1505
POST /config/access/tenant_management/tenants DEPRECATED . . . . . . . . . . . . . . 1506
GET /config/access/tenant_management/tenants/{tenant_id} DEPRECATED . . . . . . . . . . 1507
POST /config/access/tenant_management/tenants/{tenant_id} DEPRECATED . . . . . . . . . . 1508
DELETE /config/access/tenant_management/tenants/{tenant_id} DEPRECATED . . . . . . . . . 1509
GET /config/extension_management/extensions DEPRECATED . . . . . . . . . . . . . . . 1510
POST /config/extension_management/extensions DEPRECATED . . . . . . . . . . . . . . 1513
GET /config/extension_management/extensions/{extension_id} DEPRECATED . . . . . . . . . 1515
POST /config/extension_management/extensions/{extension_id} DEPRECATED . . . . . . . . . 1517
DELETE /config/extension_management/extensions/{extension_id} DEPRECATED . . . . . . . . 1519
GET /config/extension_management/extensions_task_status/{status_id} DEPRECATED . . . . . . . 1521
GET /config/extension_management/extensions_task_status/{status_id}/results DEPRECATED . . . . 1522
GUI application framework endpoints. . . . . . . . . . . . . . . . . . . . . . . . . 1524
GET /gui_app_framework/application_creation_task DEPRECATED . . . . . . . . . . . . . 1524
POST /gui_app_framework/application_creation_task DEPRECATED . . . . . . . . . . . . . 1525
GET /gui_app_framework/application_creation_task/{application_id} DEPRECATED. . . . . . . . 1526
POST /gui_app_framework/application_creation_task/{application_id} DEPRECATED . . . . . . . 1526
GET /gui_app_framework/applications DEPRECATED . . . . . . . . . . . . . . . . . . 1528
GET /gui_app_framework/applications/{application_id} DEPRECATED . . . . . . . . . . . . 1530
POST /gui_app_framework/applications/{application_id} DEPRECATED. . . . . . . . . . . . 1533
DELETE /gui_app_framework/applications/{application_id} DEPRECATED. . . . . . . . . . . 1536
Help endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1536
GET /help/capabilities DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . 1536
QRadar Vulnerability Manager endpoints . . . . . . . . . . . . . . . . . . . . . . . 1539
GET /qvm/assets DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . 1539
GET /qvm/filters DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . 1539
GET /qvm/network DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1540
GET /qvm/openservices DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . 1541
GET /qvm/savedsearches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1541
POST /qvm/tickets/assign DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1542
GET /qvm/vulninstances DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1543
GET /qvm/vulns DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . 1543
Reference data endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1544
GET /reference_data/map_of_sets DEPRECATED. . . . . . . . . . . . . . . . . . . . 1544
POST /reference_data/map_of_sets DEPRECATED . . . . . . . . . . . . . . . . . . . 1545

xx QRadar API Reference Guide

 GET /reference_data/map_of_sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . 1547
POST /reference_data/map_of_sets/{name} DEPRECATED . . . . . . . . . . . . . . . . 1548
DELETE /reference_data/map_of_sets/{name} DEPRECATED . . . . . . . . . . . . . . . 1550
GET /reference_data/map_of_sets/{name}/dependents DEPRECATED . . . . . . . . . . . . 1552
DELETE /reference_data/map_of_sets/{name}/value/{key} DEPRECATED . . . . . . . . . . . 1554
GET /reference_data/maps DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1555
POST /reference_data/maps DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1556
GET /reference_data/maps/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1558
POST /reference_data/maps/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1559
DELETE /reference_data/maps/{name} DEPRECATED . . . . . . . . . . . . . . . . . . 1560
GET /reference_data/maps/{name}/dependents DEPRECATED . . . . . . . . . . . . . . . 1562
DELETE /reference_data/maps/{name}/value/{key} DEPRECATED . . . . . . . . . . . . . 1564
GET /reference_data/sets DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1565
POST /reference_data/sets DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1567
GET /reference_data/sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1568
POST /reference_data/sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1569
DELETE /reference_data/sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . . 1571
GET /reference_data/sets/{name}/dependents DEPRECATED . . . . . . . . . . . . . . . 1573
DELETE /reference_data/sets/{name}/value/{value} DEPRECATED . . . . . . . . . . . . . 1574
POST /reference_data/sets/bulk_load/{name} DEPRECATED . . . . . . . . . . . . . . . 1576
GET /reference_data/tables DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1577
POST /reference_data/tables DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1578
GET /reference_data/tables/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1579
POST /reference_data/tables/{name} DEPRECATED. . . . . . . . . . . . . . . . . . . 1581
DELETE /reference_data/tables/{name} DEPRECATED . . . . . . . . . . . . . . . . . . 1582
GET /reference_data/tables/{name}/dependents DEPRECATED . . . . . . . . . . . . . . . 1584
DELETE /reference_data/tables/{name}/value/{outer_key}/{inner_key} DEPRECATED . . . . . . . 1586
Scanner endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1588
GET /scanner/profiles DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . 1588
POST /scanner/profiles/create DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1588
POST /scanner/profiles/start DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1589
GET /scanner/scanprofiles DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1590
POST /scanner/scanprofiles DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1591
GET /scanner/scanprofiles/{profileid} DEPRECATED . . . . . . . . . . . . . . . . . . 1592
POST /scanner/scanprofiles/{profileid} DEPRECATED . . . . . . . . . . . . . . . . . . 1594
DELETE /scanner/scanprofiles/{profileid} DEPRECATED . . . . . . . . . . . . . . . . . 1595
POST /scanner/scanprofiles/{profileid}/start DEPRECATED . . . . . . . . . . . . . . . . 1595
SIEM endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1596
GET /siem/local_destination_addresses DEPRECATED . . . . . . . . . . . . . . . . . . 1596
GET /siem/local_destination_addresses/{local_destination_address_id} DEPRECATED . . . . . . . 1598
GET /siem/offense_closing_reasons DEPRECATED . . . . . . . . . . . . . . . . . . . 1600
POST /siem/offense_closing_reasons DEPRECATED . . . . . . . . . . . . . . . . . . . 1601
GET /siem/offense_closing_reasons/{closing_reason_id} DEPRECATED . . . . . . . . . . . . 1602
GET /siem/offenses DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1603
GET /siem/offenses/{offense_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1606
POST /siem/offenses/{offense_id} DEPRECATED. . . . . . . . . . . . . . . . . . . . 1610
GET /siem/offenses/{offense_id}/notes DEPRECATED . . . . . . . . . . . . . . . . . . 1613
POST /siem/offenses/{offense_id}/notes DEPRECATED . . . . . . . . . . . . . . . . . 1614
GET /siem/offenses/{offense_id}/notes/{note_id} DEPRECATED . . . . . . . . . . . . . . 1615
GET /siem/source_addresses DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1617
GET /siem/source_addresses/{source_address_id} DEPRECATED . . . . . . . . . . . . . . 1618
System endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1619
GET /system/servers DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1620
GET /system/servers/{server_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1621
POST /system/servers/{server_id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1622
GET /system/servers/{server_id}/firewall_rules DEPRECATED . . . . . . . . . . . . . . . 1623
PUT /system/servers/{server_id}/firewall_rules DEPRECATED . . . . . . . . . . . . . . . 1624
GET /system/servers/{server_id}/network_interfaces/ethernet DEPRECATED . . . . . . . . . . 1626
POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name} DEPRECATED . . . . 1627
GET /system/servers/{server_id}/network_interfaces/bonded DEPRECATED . . . . . . . . . . 1629
POST /system/servers/{server_id}/network_interfaces/bonded/{device_name} DEPRECATED . . . . 1632

Contents xxi
REST API V4.0 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1634
Ariel endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1634
GET /ariel/databases DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1634
GET /ariel/databases/{database_name} DEPRECATED . . . . . . . . . . . . . . . . . . 1635
GET /ariel/searches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1636
POST /ariel/searches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1637
GET /ariel/searches/{search_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1638
POST /ariel/searches/{search_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1640
DELETE /ariel/searches/{search_id} DEPRECATED . . . . . . . . . . . . . . . . . . . 1642
GET /ariel/searches/{search_id}/results DEPRECATED. . . . . . . . . . . . . . . . . . 1643
Asset model endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1644
GET /asset_model/assets DEPRECATED. . . . . . . . . . . . . . . . . . . . . . . 1644
POST /asset_model/assets/{asset_id} DEPRECATED . . . . . . . . . . . . . . . . . . 1646
GET /asset_model/properties DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1646
GET /asset_model/saved_searches DEPRECATED . . . . . . . . . . . . . . . . . . . 1648
GET /asset_model/saved_searches/{saved_search_id}/results DEPRECATED . . . . . . . . . . 1649
Authentication endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1651
POST /auth/logout DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1651
Help endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1651
GET /help/capabilities DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . 1651
QRadar Vulnerability Manager endpoints . . . . . . . . . . . . . . . . . . . . . . . 1653
GET /qvm/assets DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . 1654
GET /qvm/filters DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . 1654
GET /qvm/network DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1655
GET /qvm/openservices DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . 1655
GET /qvm/savedsearches DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1656
POST /qvm/tickets/assign DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1657
GET /qvm/vulninstances DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1658
GET /qvm/vulns DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . . 1658
Reference data endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1659
GET /reference_data/map_of_sets DEPRECATED. . . . . . . . . . . . . . . . . . . . 1659
DELETE /reference_data/map_of_sets/{name} DEPRECATED . . . . . . . . . . . . . . . 1661
GET /reference_data/map_of_sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . 1662
DELETE /reference_data/map_of_sets/{name}/{key} DEPRECATED . . . . . . . . . . . . . 1663
POST /reference_data/map_of_sets/{name} DEPRECATED . . . . . . . . . . . . . . . . 1665
POST /reference_data/map_of_sets DEPRECATED . . . . . . . . . . . . . . . . . . . 1666
GET /reference_data/maps DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1667
DELETE /reference_data/maps/{name} DEPRECATED . . . . . . . . . . . . . . . . . . 1669
GET /reference_data/maps/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1670
DELETE /reference_data/maps/{name}/{key} DEPRECATED. . . . . . . . . . . . . . . . 1671
POST /reference_data/maps/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1673
POST /reference_data/maps DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1674
POST /reference_data/sets/bulk_load/{name} DEPRECATED . . . . . . . . . . . . . . . 1675
GET /reference_data/sets DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1677
DELETE /reference_data/sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . . 1678
GET /reference_data/sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1679
POST /reference_data/sets/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1680
DELETE /reference_data/sets/{name}/{value} DEPRECATED . . . . . . . . . . . . . . . 1682
POST /reference_data/sets DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1683
GET /reference_data/tables DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1684
DELETE /reference_data/tables/{name} DEPRECATED . . . . . . . . . . . . . . . . . . 1686
GET /reference_data/tables/{name} DEPRECATED . . . . . . . . . . . . . . . . . . . 1687
DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} DEPRECATED . . . . . . . . . 1688
POST /reference_data/tables/{name} DEPRECATED. . . . . . . . . . . . . . . . . . . 1690
POST /reference_data/tables DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1691
Scanner endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1693
GET /scanner/profiles DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . 1693
POST /scanner/profiles/create DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1693
POST /scanner/profiles/start DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1694
GET /scanner/scanprofiles DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1695
POST /scanner/scanprofiles DEPRECATED . . . . . . . . . . . . . . . . . . . . . . 1697

xxii QRadar API Reference Guide

 GET /scanner/scanprofiles/{profileid} DEPRECATED . . . . . . . . . . . . . . . . . . 1697
POST /scanner/scanprofiles/{profileid} DEPRECATED . . . . . . . . . . . . . . . . . . 1699
DELETE /scanner/scanprofiles/{profileid} DEPRECATED . . . . . . . . . . . . . . . . . 1700
POST /scanner/scanprofiles/{profileid}/start DEPRECATED . . . . . . . . . . . . . . . . 1700
SIEM endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1701
GET /siem/local_destination_addresses DEPRECATED . . . . . . . . . . . . . . . . . . 1701
GET /siem/local_destination_addresses/{local_destination_address_id} DEPRECATED . . . . . . . 1703
GET /siem/offense_closing_reasons DEPRECATED . . . . . . . . . . . . . . . . . . . 1704
POST /siem/offense_closing_reasons DEPRECATED . . . . . . . . . . . . . . . . . . . 1706
GET /siem/offense_closing_reasons/{closing_reason_id} DEPRECATED . . . . . . . . . . . . 1707
GET /siem/offenses DEPRECATED . . . . . . . . . . . . . . . . . . . . . . . . 1708
GET /siem/offenses/{offense_id} DEPRECATED . . . . . . . . . . . . . . . . . . . . 1711
POST /siem/offenses/{offense_id} DEPRECATED. . . . . . . . . . . . . . . . . . . . 1714
GET /siem/offenses/{offense_id}/notes DEPRECATED . . . . . . . . . . . . . . . . . . 1718
POST /siem/offenses/{offense_id}/notes DEPRECATED . . . . . . . . . . . . . . . . . 1719
GET /siem/offenses/{offense_id}/notes/{note_id} DEPRECATED . . . . . . . . . . . . . . 1720
GET /siem/source_addresses DEPRECATED . . . . . . . . . . . . . . . . . . . . . 1721
GET /siem/source_addresses/{source_address_id} DEPRECATED . . . . . . . . . . . . . . 1723

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1725
Trademarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1726
Terms and conditions for product documentation . . . . . . . . . . . . . . . . . . . . . . 1727
IBM Online Privacy Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1727

Contents xxiii
xxiv QRadar API Reference Guide
Default Applications Configuration Overview
The IBM Security QRadar API Reference Guide provides information on the
RESTful API for how to integrate QRadar solutions into third-party systems.

Intended audience
This guide is intended for developers with coding experience. This guide assumes
that you have QRadar access and a knowledge of your corporate network and
networking technologies.

Technical documentation

For information about how to access more technical documentation, technical

notes, and release notes, see Accessing IBM Security Documentation Technical Note
(http://www.ibm.com/support/docview.wss?rs=0&uid=swg21612861).

Contacting customer support

For information about contacting customer support, see the Support and
Download Technical Note (http://www.ibm.com/support/docview.wss?rs=0
&uid=swg21612861).

Statement of good security practices

IT system security involves protecting systems and information through

prevention, detection and response to improper access from within and outside
your enterprise. Improper access can result in information being altered, destroyed,
misappropriated or misused or can result in damage to or misuse of your systems,
including for use in attacks on others. No IT system or product should be
considered completely secure and no single product, service or security measure
can be completely effective in preventing improper use or access. IBM systems,
products and services are designed to be part of a lawful comprehensive security
approach, which will necessarily involve additional operational procedures, and
may require other systems, products or services to be most effective. IBM DOES
NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE
IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE
MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.

Please Note:

Use of this Program may implicate various laws or regulations, including those
related to privacy, data protection, employment, and electronic communications
and storage. IBM Security QRadar may be used only for lawful purposes and in a
lawful manner. Customer agrees to use this Program pursuant to, and assumes all
responsibility for complying with, applicable laws, regulations and policies.
Licensee represents that it will obtain or has obtained any consents, permissions, or
licenses required to enable its lawful use of IBM Security QRadar.

Copyright IBM Corp. 2014, 2017 xxv

xxvi QRadar API Reference Guide
Chapter 1. What's new for developers in RESTful APIs in
QRadar V7.3.0
IBM Security QRadar V7.3.0 introduces version 8.0 of the API endpoints.

New endpoints

QRadar V7.3.0 introduces many new categories of API endpoints and updates to
existing endpoints in the following categories:
Analytics API endpoints
Building blocks
Custom rules
Configuration API endpoints
Hosts
License pool
Remote networks
Remote services
GUI App Framework endpoints
Named services
Staged configuration API endpoints
License pool
Remote networks
Remote services
Services endpoints
DNS lookups
DIG lookups
WHOIS lookups

Learn More...

Deprecated endpoints

All version 6.0 API endpoints are marked as deprecated in QRadar V7.3.0.

Learn More...

New endpoints in more detail

V7.3.0 of IBM Security QRadar significantly expands the number of endpoints that
are available in the QRadar API.

Building block API endpoints

The building block API structure includes the following new rule performance
information:

Copyright IBM Corp. 2014, 2017 1

 v Base Capacity (in EPS)
v Base Host ID
v Average Capacity (in EPS)
v Capacity Timestamp (of when the last performance update occurred)

The following endpoints were updated:

v GET /api/analytics/building_blocks
Retrieves a list of building block rules.
v GET /api/analytics/building_blocks/{id}
Retrieves a building block rule.
v POST /api/analytics/building_blocks/{id}
Updates the building block rule owner, or enabled/disabled only.

Custom rules API endpoints

The custom rule API structure includes the following new rule performance
information:
v Base Capacity (in EPS)
v Base Host ID
v Average Capacity (in EPS)
v Capacity Timestamp (for the last performance update)

The following endpoints were updated:

v GET /api/analytics/rules
Retrieves a list of custom rules.
v GET /api/analytics/rules/{id}
Retrieves a rule.
v POST /api/analytics/rules/{id}
Updates the rule owner, or enabled/disabled only.

Remote networks API endpoints

Use the new remote networks API endpoints to create, update, delete, and retrieve
information that is about deployed and staged remote networks.

The following new endpoints were added:

v GET /api/config/remote_networks
Retrieves a list of deployed remote networks.
v GET /api/config/remote_networks/{network_id}
Retrieves a deployed remote network by ID.
v GET /api/staged_config/remote_networks
Retrieves a list of staged remote networks.
v POST /api/staged_config/remote_networks
Creates a staged remote network.
v GET /api/staged_config/remote_networks/{network_id}
Retrieves a staged remote network.
v POST /api/staged_config/remote_networks/{network_id}
Updates a staged remote network.

2 QRadar API Reference Guide

v DELETE /api/staged_config/remote_networks/{network_id}
Deletes a staged remote network.

Remote services API endpoints

Use the new remote services API endpoints to create, update, delete, and retrieve
information that is about deployed and staged remote services.

The following new endpoints were added:

v GET /api/config/remote_services
Retrieves a list of deployed remote services.
v GET /api/config/remote_services/{service_id}
Retrieves a deployed remote service by ID.
v GET /api/staged_config/remote_services
Retrieves a list of staged remote services.
v POST /api/staged_config/remote_services
Creates a remote service.
v GET /api/staged_config/remote_services/{service_id}
Retrieves a staged remote service by ID.
v POST /api/staged_config/remote_services/{service_id}
Updates an existing staged remote service.
v DELETE /api/staged_config/remote_services/{service_id}
Deletes an existing remote service.

GUI App Framework named services API endpoints

You can use the named services API endpoints that were introduced in V8.0 to
retrieve information about named services that are registered with QRadar GUI
application framework. The following new endpoints were added:
v GET /api/gui_app_framework/named_services
Retrieves the list of named services that are registered with the GUI App
Framework.
v GET /api/gui_app_framework/named_services/{UUID}
Retrieves an individual named service by name.

Hosts API endpoints

New Host API endpoints retrieve information about deployed and staged hosts,
and to update deployed hosts.

The following new endpoints were added:

v GET /api/config/deployment/hosts
Retrieves a list of deployed hosts.
v GET /api/config/deployment/hosts/{id}
Retrieves an individual deployed host by ID.
v POST /api/config/deployment/hosts/{id}
Updates a host's fields that do not require a deploy.
v GET /api/staged_config/deployment/hosts
Retrieves a list of staged hosts.

Chapter 1. What's new for developers in the RESTful APIs in V7.3.0 3

 v GET /api/staged_config/deployment/hosts/{id}
Retrieves an individual staged host by ID.

License pool API endpoint

The License Pool API endpoint provides aggregated data of a deployment's

licenses.

The following new endpoint was added:

v GET /api/config/deployment/license_pool
Retrieves the deployed license pool singleton.

Services API endpoints

Use the services endpoints to create and retrieve information from port scans, and
DIG, DNS, and WHOIS lookups.

The following new endpoints were added:

v POST /api/services/dig_lookups
Creates a DIG lookup.
v GET /api/services/dig_lookups/{dig_lookup_id}
Retrieves the DIG lookup status and result.
v POST /api/services/dns_lookups
Creates a DNS lookup.
v GET /api/services/dns_lookups/{dns_lookup_id}
Retrieves the DNS lookup status.
v POST /api/services/port_scans
Creates a port scan.
v GET /api/services/port_scans/{port_scan_id}
Retrieves the port scan status.
v POST /api/services/whois_lookups
Creates a WHOIS lookup.
v GET /api/services/whois_lookups/{whois_lookup_id}
Retrieves the WHOIS lookup status.

System time API endpoints

Use the system time API endpoints to set and retrieve information about a server's
system time and time zone.

The following new endpoints were added:

v GET /api/system/servers/{server_id}/system_time_settings
Retrieves the system time and time zone settings on a server host based on the
supplied server ID.
v POST /api/system/servers/{server_id}/system_time_settings
Sets the system time and time zone settings on a server host.
v GET /api/system/servers/{server_id}/timezones
Retrieves all the available time zones that can be set for a server.

4 QRadar API Reference Guide

Deprecated endpoints in more detail
All version 6.0 API endpoints are marked as deprecated in IBM Security QRadar
V7.3.0.

Although deprecated endpoints continue to function, they will be removed in a

future release. You must update your integration to use version 8.0, which is the
most recent version of the QRadar RESTful API. Responses to deprecated endpoint
requests include a Deprecated response header that indicates that the endpoint is
deprecated.
Related concepts:
Chapter 2, RESTful API overview, on page 7
You access the RESTful API by sending HTTPS requests to specific URLs
(endpoints) on the QRadar Console. To send these requests, use the HTTP
implementation that is built in to the programming language of your choice. Each
request contains authentication information, and parameters that modify the
request.

Chapter 1. What's new for developers in the RESTful APIs in V7.3.0 5

6 QRadar API Reference Guide
Chapter 2. RESTful API overview
You access the RESTful API by sending HTTPS requests to specific URLs
(endpoints) on the QRadar Console. To send these requests, use the HTTP
implementation that is built in to the programming language of your choice. Each
request contains authentication information, and parameters that modify the
request.

API Endpoints
An API endpoint contains the URL of the resource that you want to access and the
action that you want to complete on that resource. The action is indicated by the
HTTP method of the request: GET, POST, PUT, or DELETE.

Required permissions to access the API

Authentication information must be included in every API request as an HTTP
header. Provide the required access credentials in one of the following ways:
v A user name and password for a QRadar user that is specified in the
authorization header.
You specify the user name and password by using HTTP basic authentication.
Although you can make API requests by providing a user name and password
for every request, use authorized service tokens for all API integrations with
QRadar. Only the user name and password option is supported for viewing the
Documentation Page.
For more information about creating user roles, security profiles, and users, see
the IBM Security QRadar Administration Guide.
v An authorized services token that is specified in the SEC header.
To authenticate as an authorized service, you create an authentication token that
uses authorized services. QRadar authorized services have roles and security
profiles assigned that control access to the various API resources.
The token is valid until the expiry date that you specified when you created the
authorized service.
For more information about creating user roles, security profiles and authorized
services, see the IBM Security QRadar Administration Guide.

The following table highlights the required role and the security profile impacts for
each API endpoint:
Table 1. Role permissions and security profile requirements
API Endpoints Roles Permissions Security Profile
/api/analytics/* Requires Admin permission. Requires Admin security
profile.
/api/ariel/* Requires Admin permission Requires Admin security
for querying events or flows. profile.
/api/asset_model/* Requires Vulnerability Data returned restricted
Management or Assets based on security profile
permissions. assigned.
/api/auth/* No permission restrictions. No security profile
restrictions.

Copyright IBM Corp. 2014, 2017 7

 Table 1. Role permissions and security profile requirements (continued)
API Endpoints Roles Permissions Security Profile
/api/config/access/ Requires Admin permission. Requires Admin security
tenant_management profile.
/api/config/ Requires Admin permission. Requires Admin security
domain_management profile.
/api/config/ Requires Admin permission. Requires Admin security
extensions_management profile.
/api/gui_app_framework/* Requires Admin permission. Requires Admin security
profile.
/api/help/* No permission restrictions. No security profile
restrictions.
/api/qvm/* Requires Assets permissions. Requires a security profile
with access to all networks,
all log sources, and all
domains.
/api/qrm/* Requires Admin permission. Requires Admin security
profile.
/api/reference_data/* Requires Admin permissions Requires Admin security
for POST and DELETE profile.
requests. Requires View
Reference Data for GET
requests.
/api/scanner/* Requires Vulnerability Requires a security profile
Management permissions. with access to all networks,
all log sources, and all
domains.
/api/services/* No permission restrictions. No security profile
restrictions.
/api/siem/* Requires Offenses Data returned restricted
permissions. based on security profile
assigned.
The Manage Offense
Closing Reasons permission
is required for creating
offense closing reasons (POST
/api/siem/
offense_closing_reasons).
The Assign Offenses to
Users permission is required
for updating the assigned to
field of an offense (POST
/api/siem/offenses/
{offense_id} when the
assigned_to parameter is
supplied).
/api/staged_config/* Requires Admin permission. Requires Admin security
profile.
/api/system/* Requires Admin permission. Requires Admin security
profile.

8 QRadar API Reference Guide

API requests and responses

When you send an API request, the server returns an HTTP response. The HTTP
response contains a status code to indicate whether the request succeeded and the
details of the response in the response body. Most resources format this response
as JavaScript Object Notation (JSON). You can use the JSON packages or libraries
that are built in to the programming language that you use to extract the data.

For a complete example of this process, see the sample code in GitHub
(https://github.com/ibm-security-intelligence/api-samples).

Version headers

You use version headers to request a specific version of the API. If you don't
provide a version header, the latest version of the API is used, which might break
integrations when QRadar is upgraded. If you provide a version header every time
you use an API, it makes it easier to upgrade to newer versions of QRadar without
breaking your API clients.

The APIs use the major and minor components of semantic versioning. Natural
numbers are used to designate major versions of the API, for example, '3'. Minor
versions of the API are designated with a major and minor component, for
example, '3.1'. You can set the version header to a major or a minor version of the
API. Changes that are compatible with existing versions are introduced with an
incremented minor version number. Any incompatible changes are introduced with
a major version number increment.

When a major version of the API is specified in the version header without a
minor component, the server responds with the latest minor version within the
major API version. For example, if the client requests version '3', the server
responds with version '3.1'. If you want to use version 3.0, you must request '3.0' in
the version header. If you request a version greater than the latest version of an
endpoint, the latest available version of that endpoint is returned. Each endpoint is
listed under every version it is valid for, even if it's unchanged in the newer
versions.

Endpoint deprecation

An API endpoint is marked as deprecated to indicate that it is not recommended for

use and will be removed in a future release. To give integrations time to use an
alternative, a deprecated endpoint continues to function for at least 1 release before
it is removed. The interactive API documentation page indicates that an endpoint
is marked as deprecated. Also, the API response message for a deprecated
endpoint includes the header Deprecated. An individual API endpoint, or an entire
version of API endpoints can be marked as deprecated. The deprecated endpoints
still continue to function until they are removed.

When an API endpoint completes the deprecation process, it is removed.

Endpoints that are removed no longer respond successfully. An attempt to call a
removed endpoint returns an error. An HTTP 410 Gone response is returned for
individual removed endpoints. An HTTP 422 Unprocessable Entity response is
returned for requests for a version that is no longer supported.

Include the version header in API requests to call a specific version of an API
endpoint. API integrations that do not explicitly request a particular version are
not supported. If you do not specify a version, your request is directed to the latest

Chapter 2. RESTful API overview 9

 available version. If a release includes a new, incompatible version of an endpoint,
your integration might break. Have your request version in one location in your
code to ease upgrading as newer versions become available.

Filter syntax
To limit the results that are returned in an API retrieval request (HTTP GET), most
IBM Security QRadar API endpoints that return lists of resources support the
filter parameter.

The filter parameter syntax is consistent for all endpoints that support it. Refer to
the documentation for the endpoint to determine if the filter parameter applies to
it. Any limitations for the filter syntax are included in that endpoint's description.
You are reminded that query parameters must be double URL encoded before they
are sent.

Comparison Operators

The filter comparison operators table describes the comparison operators that you
can use as part of the filter parameter.
Table 2. Filter comparison operators
Operator Description Example Filter Syntax
= Equality between the To find offenses where status=CLOSED:
identifier and the specified
value returned. GET /api/siem/offenses?filter=status
%3DCLOSED
> Identifier is greater than the To find offenses where credibility > 3:
specified value.
/api/siem/offenses?filter=credibility%20
%3E%203
< Identifier is less than the To find offenses where magnitude < 9:
specified value.
/api/siem/offenses?filter=magnitude%20
%3C%209
<= Identifier is less than or To find offenses where id <= 1004:
equal to the specified value.
/api/asset_model/properties?filter=id%20
%3C%3D%201004
>= Identifier is greater than or To find offenses where scanProfileId >= 3:
equal to the specified value.
/api/scanner/
scanprofiles?filter=scanProfileId%20%3E
%3D%203
!=, Identifier is not equal to the The following examples filters all IDs that
specified value. are not equal to 5:
<>,
/api/siem/offenses?filter=id%20!%3D%205
^=
/api/siem/offenses?filter=id%20%3C%3E
%205

/api/siem/offenses?filter=id%20%5E%3D
%205

10 QRadar API Reference Guide

Table 2. Filter comparison operators (continued)
Operator Description Example Filter Syntax
in Identifier is equal to at least id in (1001,1111,1200):
one of the specified values in
the list. /api/asset_model/assets?filter=id%20in
%20(1001%2C1111%2C1200)
not in Identifier is not equal to any id not in (1001,1002,1003):
of the specified values in the
list. /api/asset_model/
saved_searches?filter=id%20not%20in
%20(14%2C20%2C1003)
between ... Identifier is between 2 id between 0 and 3:
and ... specified values.
/api/siem/offenses?filter=id%20between
%200%20and%203
not between Identifier is not between 2 id not between 30 and 31:
... and ... specified values.
/api/siem/offenses?filter=id%20not
%20between%2030%20and%2031
is null Identifier is null. assigned_to is null:

/api/siem/offenses?filter=assigned_to
%20is%20null
is not null Identifier is not null. assigned_to is not null:

/api/siem/offenses?filter=assigned_to
%20is%20not%20null

Null values and comparison operators

When the field that you filtered on has a 'null' value, comparison operators behave
in the following ways:
v "=", ">", ">=", "<", "<=", "IN", and "BETWEEN" operators always return false
v "!=", "<>", "^=", "NOT BETWEEN", and "NOT IN" always return true

The best way to test for null values is to use the "is null" or "is not null" operators.

Logical operators

Use the logical operators OR, AND, and NOT to perform logical operations on
subexpressions. The following table provides examples of how to use logical
operators in filters.

Operator Description Example

or Performs a logical OR assigned_to is not null OR id = 111:
operation on the 2
subexpressions. The /api/siem/offenses?filter=assigned_to%20is
subexpressions might %20not%20null%20or%20id%20%3D%20111
be comparison nodes or
other logical nodes.

Chapter 2. RESTful API overview 11

 Operator Description Example
and Performs a logical AND assigned_to is not null AND id = 111:
operation on the 2
sub-expressions. The /api/siem/offenses?filter=assigned_to%20is
sub-expressions might %20not%20null%20and%20id%20%3D%20111
be comparison nodes or
other logical nodes.
not Performs a logical NOT protected =true and not id in (111,112,113)
operation on the
subexpression. /api/siem/offenses?filter=protected%20%3D
%20true%20and%20not%20id%20in%20(111%2C112
%2C113)

Specifying JSON fields for comparisons

The following table explains how to specify JSON fields for use with comparison
operators in filters.

JSON field example Description Example

{ When you apply a name = "Proprietary Data"
"name": "Proprietary Data", filter to a field
"element_type": "ALN" directly in the GET /api/reference_data/
} object that is sets?filter=name%20%3D%20
returned, the field %22Proprietary%20Data%22
is specified by
name.
{ When you apply a duration(days) >= 20
"description": "String", filter to a field
"duration": { nested inside a GET /api/scanner/
"days": 42, sub object use scanprofiles?filter=duration(days)
"hours": 42, brackets to specify %20%3E%3D%201
"minutes": 42,
the inner field.
"months": 42,
"seconds": 42.5,
"years": 42
}
}
["events","flows","simarc"] For simple JSON .= events
types where there
is no field label, GET /api/ariel/databases?filter=.
such as strings, %3D%20events
numbers or
Boolean, use the .
operator.

Specifying string and numeric values in filters

When you filter on string that have values with non-alphanumeric characters, you
must wrap the target string in quotation marks. When you filter on numeric
values, the numeric values can follow these conditions:
v Start with a leading + or - sign.
v Contain or start with a decimal point
v Include an exponent using e notation.

12 QRadar API Reference Guide

Filtering complex objects by using the CONTAINS operator

You filter complex objects by using the CONTAINS operator. You use the
CONTAINS operator to test the contents of lists or maps. On the left side of the
operator, is an identifier that is in the standard format, for example x(y(z)). The
identifier must refer to an element that is a list, map, or collection. On the right
side, of the operator is an expression that specifies how the objects in the list must
be matched. There are two basic uses for the CONTAINS operator:
v The list that is examined contains simple elements like strings or numbers
v The list contains complex objects.
Lists that contain simple types
For lists that contain simple types such as strings or numbers, the
expression is a value of the same type. For single comparisons, no brackets
are required
To request only asset saved searches that have ftp as the string in the
filter's value field:
GET /api/asset_model/saved_searches?filter=filters%20contains
%20value%20%3D%20ftp
To request assets where interfaces contains the IP address 1.2.3.4:
GET /api/asset_model/assets?filter=interfaces%20contains
%20ip_addresses%20contains%20value%20%3D%20%221.2.3.4%22
Lists that contain complex objects
For lists that contain complex objects, the expression is a complete filter
expression for the objects within the list. This subfilter expression uses the
same syntax as any other filter. You can use any operator in the subfilter to
test sublists inside the original list. Identifiers in this expression are relative
to the objects in the list that the CONTAINS operator is operating on. In
complex subfilter expressions, brackets are required.
To request only assets that have a field value = 14 and the Greater than
operator , apply the filter filters contains (value = 14 or operator =
"Greater than"). This filter returns the first and the last elements in the
list.
GET /api/asset_model/saved_searches?filter=filters%20contains
%20(value%20%3D%2014%20and%20operator%20%3D%20%22Greater%20than%22)
To find offenses that contain source addresses that have ID values less than
3 apply the following filter:
GET /api/siem/offenses?filter=source_address_ids%20contains%20(.
%3C3)

The LIKE operator

Use the LIKE operator to retrieve partial string matches.

The LIKE operator uses the following format: identifier like "expression".
Quotation marks around the expression is mandatory. Single and double quotation
marks are supported. The LIKE keyword does case-sensitive matching.

The following wildcard characters are supported. If you use wildcard characters in
a string, you must use escape them.

Wildcard character Description

% Matches a string of zero or more characters

Chapter 2. RESTful API overview 13

 Wildcard character Description
_ Matches any single character

You can combine the wildcards in the same expression. For example, to find the
reference set whose name ends with Data and begins with H:
GET /api/reference_data/sets?filter=name%20like%20%22H_%25Data%22

Sort syntax
To order the results that are returned in an API retrieval request, HTTP GET, some
IBM Security QRadar API endpoints that return lists of resources support the sort
parameter.

The sort parameter syntax is consistent for all endpoints that support it. Refer to
the documentation for the endpoint to determine if the sort parameter applies to it.
Any limitations on the sort syntax are included in that endpoint's description. To
ensure that spaces or special characters are encoded properly, remember that query
parameters must be double URL encoded before they are sent.

Sort operators
Operator Description Example
+ Sort field is in Sort add_time field in ascending order:
ascending order.
/api/config/extension_management/
extensions?sort=%2Badd_time
- Sort field is in Sort version field in descending order:
descending order.
/api/config/extension_management/
extensions?sort=-version

Sorting multiple fields

You can sort multiple fields by separating them with a comma. In the following
example, the version field is sorted in descending order. Then, within each
version group, the add_time field is sorted in ascending order.
/api/config/extension_management/extensions?sort=-version%2C%2Badd_time

Escaping characters in sort strings

Escape any character in the sort string by preceding it with a backslash (\). If any
of the following characters are inside a field identifier, you must escape them:
v ,
v (
v )
v \

Paging syntax
To limit the results returned in an API retrieval request, HTTP GET, most IBM
Security QRadar API endpoints that return lists of resources support the Range
header parameter.

14 QRadar API Reference Guide

 The Range parameter syntax is consistent for all endpoints that support it. Refer to
the documentation for the endpoint to determine whether the Range parameter
applies to it. Any limitations on the Range syntax are included in that endpoint's
description.

Note: The Range parameter is always sent as a header parameter, unlike the sort,
filter, and fields parameters. These parameters are typically query parameters.

By default, only the first 50 records are returned for the Range parameter on the
interactive API documentation page. You can alter the Range value for an endpoint.
However, if you request large result sets, it might negatively affect the performance
of the interactive API documentation page.

Range header parameter

Paging requests are specified with the Range header parameter. Use the following
zero-indexed syntax:
Range: items=x-y

The response to a request that employs paging includes the Content-Range header.
The header indicates the number of records that were returned within the content
range in the following format:
Content-Range: items x-y/total number of records received

For example, to return the first 5 records, the request header contains the following
parameter:
"Range: items= 0-4"

The response header for that request returns the following information:
Content-Range: items 0-4/5

If the requested range exceeds the number of records, all records that are within
the stated range are returned. In the following example, the first 100 records are
requested:
Range: items= 0-99

However, there are only 12 records in total. The response returns all records within
the stated range:
Content-Range: items 0-11/12

If the range requested is beyond the bounds of the amount of records, then no
records are returned. In the following example, the first records 3 to 5 records are
requested:
Range: items = 3-5

However, there are fewer than 3 records, and so no records are returned:
Content-Range: items */3

API error messages

When an API request fails due to request errors or server errors, an error response
message is returned in JSON format.

An error response message is returned in JSON format even for endpoints that
support other MIME types. The error response message includes error message
Chapter 2. RESTful API overview 15
 itself, a description of the error, a unique error code for the endpoint, an HTTP
response message, and an HTTP response code.

The error response includes following fields:

v message: the error message
v details: a field for additional information, which may or may not be populated
v description: description of the specific error
v code: Unique error response code
v http_response:
message: HTTP response message
code: HTTP response status code

For example, the following API request attempts to get information about a
non-existent reference set that is called test-set
https://<host_ip>/api/reference_data/sets/test_set

An HTTP 404 response code and the following JSON error response message are
returned:
{
"message": "test_set does not exist",
"details": {},
"description": "The reference set does not exist.",
"code": 1002,
"http_response": {
"message": "We could not find the resource you requested.",
"code": 404
}
}

The following table provides more information about the HTTP response error
categories returned by the IBM Security QRadar REST API:

HTTP
response
HTTP error category Code HTTP response message
MULTIPLE CHOICES 300 The requested resource corresponds to
any one of a set of representations,
each with its own specific location.
MOVED PERMANENTLY 301 The resource has moved permanently.
Please refer to the documentation.
FOUND 302 The resource has moved temporarily.
Please refer to the documentation.
SEE OTHER 303 The resource can be found under a
different URI.
NOT MODIFIED 304 The resource is available and not
modified.
USE PROXY 305 The requested resource must be accessed
through the proxy given by the Location
field.
TEMPORARY REDIRECT 307 The resource resides temporarily under a
different URI.
BAD REQUEST 400 Invalid syntax for this request was
provided.

16 QRadar API Reference Guide

 HTTP
response
HTTP error category Code HTTP response message
UNAUTHORIZED 401 You are unauthorized to access the
requested resource. Please log in.
FORBIDDEN 403 Your account is not authorized to access
the requested resource.
NOT FOUND 404 We could not find the resource you
requested. Please refer to the
documentation for the list of resources.
METHOD NOT ALLOWED 405 This method type is not currently
supported.
NOT ACCEPTABLE 406 Acceptance header is invalid for this
endpoint resource.
PROXY AUTHENTICATION 407 Authentication with proxy is required.
REQUIRED
REQUEST TIMEOUT 408 Client did not produce a request within
the time that the server was prepared to
wait.
CONFLICT 409 The request could not be completed due
to a conflict with the current state of
the resource.
GONE 410 The requested resource is no longer
available and has been permanently
removed.
LENGTH REQUIRED 411 Length of the content is required,
please include it with the request.
PRECONDITION FAILED 412 The request did not match the
pre-conditions of the requested
resource.
REQUEST ENTITY TOO 413 The request entity is larger than the
LARGE server is willing or able to process.
REQUEST-URI TOO LONG 414 The request URI is longer than the
server is willing to interpret.
UNSUPPORTED MEDIA 415 The requested resource does not support
TYPE the media type provided.
REQUESTED RANGE NOT 416 The requested range for the resource is
SATISFIABLE not available.
EXPECTATION FAILED 417 Unable to meet the expectation given in
the Expect request header.
MISSING ARGUMENTS 419 The requested resource is missing
required arguments.
INVALID ARGUMENTS 420 The requested resource does not support
one or more of the given parameters.
UNPROCESSABLE ENTITY 422 The request was well-formed but was
unable to be followed due to semantic
errors.
INTERNAL SERVER ERROR 500 Unexpected internal server error.
NOT IMPLEMENTED 501 The requested resource is recognized but
not implemented.

Chapter 2. RESTful API overview 17

 HTTP
response
HTTP error category Code HTTP response message
BAD GATEWAY 502 Invalid response received when acting as
a proxy or gateway.
SERVICE UNAVAILABLE 503 The server is currently unavailable.
GATEWAY TIMEOUT 504 Did not receive a timely response from
upstream server while acting as a
gateway or proxy.
HTTP VERSION NOT 505 The HTTP protocol version used in the
SUPPORTED request message is not supported.
INITIALIZATION FAILURE 550 A failure occurred during initialization
of services. API will be unavailable.

Cross-origin resource sharing

Cross-origin resource sharing (CORS) occurs when a script on one server sends an
Ajax request to another server. Cross-origin resource sharing also occurs when a
request is sent on a different protocol or port to the same server.

Cross-origin resource sharing violates the 'same origin policy', which is in place to
prevent cross-site request forgery attacks. While the global prevention of cookies
for /api/* endpoints avoids these attacks, browsers still attempt to enforce this
policy. All browsers use this convention but it does not apply to manual request
mechanisms like cURL.

Browsers detect that you are attempting to make a request to a server, and initially
send a preflight request. Preflight requests are set as an OPTION request against
the same URL, but also contain the Origin header. The server must send back other
information such as allowed request types, whether to expect headers in the actual
request's response, and whether the origin is accepted.

If the 'Access-Control-Allow-Origin' header of the response of the preflight request

does not match the Origin header of the request, the browser rejects it. If the
'Access-Control-Allow-Origin' header matches, the browser proceeds with the
request. The request's response must pass the same origin check, in case the rule
changes between the preflight and actual request.

Management of allowed origins

The origin value that is sent by your browser contains the protocol followed by the
host name and port, for example:
http://1.2.3.4:8888

You can intercept requests sent by your browser to ensure that you have the
correct origin value. You can add your origin to a whitelist on the QRadar Console
in the /opt/qradar/webapps/console/restapi/allowed_origins.list file. Changes
are detected and take effect immediately. This file contains a newline separated list
of allowed origins. Each entry is tested against the origin header that is sent by
browsers during pre-flight requests. If an entry matches the origin (or any entry is
'*'), the browser is allowed to make cross-origin resource sharing requests.

18 QRadar API Reference Guide

A common browser convention is to send null as the origin when the script is
started from file:// by adding '*' to the whitelist. This practice allows all origins
and is not a good practice.

Chapter 2. RESTful API overview 19

20 QRadar API Reference Guide
Chapter 3. API command-line client
Use the API command-line client to make API calls when logged in to the IBM
Security QRadar host as the root user. The API command-line client is
experimental and will stabilize over future QRadar releases.

You can use the API command-line client to complete the following tasks:
1. Print API endpoints. To print all endpoints and information that is required to
make calls against the endpoints, use the following command:
/opt/qradar/bin/api_client --print_api
2. Make requests to API endpoints.

Basic API calls

A basic API call is a GET request to an endpoint that requires no parameters, for
example:
/opt/qradar/bin/api_client --api /help/capabilities --method GET

The following table provides the arguments that you can use for basic calls.
Table 3. Arguments for basic calls
Argument Definition
--api /api_name/endpoint The path to your API endpoint. This path
appends to https://ConsoleIPaddress/. For
example:
https://ConsoleIPaddress/api/
reference_data/sets/
--method METHOD Determines whether your API request is a
GET, POST, or DELETE method. View the
output of --print_api for the required
method.

Calls with path parameters

You can add path parameters to modify the endpoint that you want to call and
correspond to a place in the endpoint portion in the URL. Use the Name parameter,
for example:
/referencedata/sets/{name}

To call a specific reference set in the Reference Data endpoint, place the name of
the reference set in the path to the endpoint that you want to specify. For example,
to retrieve the exampleset reference set, use the following call:
/opt/qradar/bin/api_client --api /referencedata/sets/exampleset --method GET

Calls with query parameters

Enter Query parameters with the following syntax:

--params param_name=param_value

Copyright IBM Corp. 2014, 2017 21

 For example, to get a list of all endpoints that use httpMethod POST, you can call
/help/capabilities. Supply the query parameters httpMethods and version. The
httpMethods parameter requires a JSON object. You can create a JSON object inside
double quotation marks by using single quotation marks, squares brackets, and
commas. For example:
/opt/qradar/bin/api_client --api /help/capabilities --method GET --params
httpMethods="[POST]" version="0.1"

To determine which parameters are query or body parameters, view the output of
--print_api.

Calls with body parameters

Enter body parameters in the same way that you enter query parameters, for
example, --param_name=param_value. You must specify the content type of the
body that you are sending with the --content_type TYPE argument. For example,
when you load bulk data with a content type of element type ALN to an existing
reference set that is named exampleset, type:
/opt/qradar/bin/api_client --api /referencedata/sets/bulkLoad/exampleset --method POST
--content_type="application/json" --params data="[value1,value2,value3]"

Important: You must specify the --content_type argument. If not specified, the
body is sent as a query parameter, and the API call fails.

Calls to other consoles

You can use the REST API command-line client to make API calls to a different
console from the client you are running. Use the --hostname HOSTNAME argument to
determine to which host name or IP address you want to send calls. Use the
following syntax:
/opt/qradar/bin/api_client --api /ariel/databases --method GET --hostnameIP address

Stored tokens authorization

Inputting and storing
You can generate an authorization token on the QRadar Console that you
want to call. You can then enter that authorization token into the API client
to use with subsequent calls. If the authorization token is valid, the token
is saved to disk in the ~/opt/qradar/bin/api_client/tokens folder with
the following file name: hostname.token.
Overwriting tokens
To overwrite a token for a console, make an API call to the Console by
using the --overwrite_token argument, and then input a new token. If the
token is valid, it is saved to disk.

User name and password authorization

Use the --pap argument for API client to use a password-authorized protocol to
authorize your API call, and then enter a user name and password. If you do not
use an authorized service token, the API client cannot save your user name and
password information for use by subsequent API calls to the same host.

API client help

Use the ./api_client -h argument to view all options for the API client.

22 QRadar API Reference Guide

Chapter 4. API sample code
IBM Security QRadar API samples are stored in a GitHub repository for each
version of QRadar. As new versions of QRadar are released, a new link is posted
with code samples to help customers use APIs and features.

The samples are provided for educational use. When you download the code
samples, you are presented with theIBM developerWorks terms of use. Read the
terms of use before you download the code samples. You must agree to the terms
to download the files.
v QRadar 7.2.1 Code Samples: https://github.com/ibmqradar/api-samples/tree/
7.2.1
v QRadar 7.2.2 Code Samples: https://github.com/ibmqradar/api-samples/tree/
7.2.2
v QRadar 7.2.3 Code Samples: https://github.com/ibm-security-intelligence/api-
samples/tree/7.2.3
v QRadar 7.2.4 Code Samples: https://github.com/ibm-security-intelligence/api-
samples/tree/7.2.4
v QRadar 7.2.5 Code Samples:https://github.com/ibm-security-intelligence/api-
samples/tree/7.2.5
v QRadar 7.2.6 Code Samples: https://github.com/ibm-security-intelligence/api-
samples/tree/7.2.6
v QRadar 7.2.7 Code Samples: https://github.com/ibm-security-intelligence/api-
samples/tree/7.2.7
v QRadar 7.2.8 Code Samples: https://github.com/ibm-security-intelligence/api-
samples/tree/7.2.8
v QRadar 7.3.0 Code Samples: https://github.com/ibm-security-intelligence/api-
samples/tree/7.3.0

What are the requirements to run the code samples?

The sample scripts that you download are designed to work the relevant QRadar
version. For example, samples for QRadar 7.2.1 must be used with QRadar 7.2.1
only.

API sample scripts that are downloaded from the GitHub page must not run
directly on a QRadar appliance. They are intended to run on an external host that
polls data from QRadar.

External hosts must use Python 3.3 to run the code samples. QRadar does not run
Python 3.3. QRadar cannot be upgraded to Python 3.3. Do not install RPMs on
your QRadar Console unless the files come from IBM Fix Central.

You can verify the software version on the Console from the Dashboard tab, by
selecting the Help > About. Download the appropriate code samples for the
QRadar version. A branch is created for each QRadar version in Github, and you
can download the specific branch for your QRadar version.

Copyright IBM Corp. 2014, 2017 23

24 QRadar API Reference Guide
Chapter 5. Accessing the interactive API documentation page
Use the interactive API documentation page to access technical details for the
RESTful APIs and experiment with making API requests to your server.

Before you begin

You must have administrative user role permissions in QRadar to access and use
RESTful APIs. For more information about how to manage user role permissions,
see the IBM Security QRadar Administration Guide.

About this task

The API documentation user interface provides descriptions and the ability to use
the following REST API interfaces:
Table 4. REST API interfaces
REST API Description
/api/analytics Create, update, and remove custom actions
for rules.
/api/ariel View event and flow properties, create event
and flow searches, and manage searches.
/api/asset_model Returns a list of all assets in the model. You
can also list all available asset property
types and saved searches, and update an
asset.
/api/auth Log out and invalidate the current session.
/api/config View and manage tenants, domains, and
QRadar extensions.
/api/gui_app_framework Install and manage applications that are
created by using the GUI Application
Framework Software Development Kit.
/api/help Returns a list of API capabilities.
/api/qvm Retrieves assets, vulnerabilities, networks,
open services, networks, and filters. You can
also create or update remediation tickets.
/api/reference_data View and manage reference data collections.
/api/scanner View, create, or start a remote scan that is
related to a scan profile.
/api/siem View, update, and close offenses. You can
also add notes and manage offense closing
reasons.
/api/system Manage server hosts, network interfaces,
and firewall rules.

Procedure
1. To access the interactive API documentation interface, enter the following URL
in your web browser: https://ConsoleIPaddress/api_doc/.
2. Click the arrow icon beside the API version you want to use.

Copyright IBM Corp. 2014, 2017 25

 8.0 is the latest version for QRadarV7.3.0.
3. Go to the endpoint that you want to access.
4. Read the endpoint documentation and complete the request parameters.
5. Click Try it out to send the API request to your console and receive a properly
formatted HTTPS response.

Note: When you click Try it out, the action is performed on the QRadar
system. Not all actions can be reversed, for example, you cannot reopen an
offense after you close it.
6. Review and gather the information that you need to integrate with QRadar.

26 QRadar API Reference Guide

Chapter 6. REST API V8.0 References
Each API reference provides information about the parameters, mime type,
stability, and responses for each endpoint.

Analytics endpoints
Use the references for REST API V8.0 analytics endpoints.

GET /analytics/ade_rules
Retrieves a list of ADE rules.

Retrieves a list of ADE rules.

Table 5. GET /analytics/ade_rules resource details
MIME Type
application/json

Table 6. GET /analytics/ade_rules request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 7. GET /analytics/ade_rules response codes

HTTP Response
Code Unique Code Description
200 The ADE rules were retrieved.

Copyright IBM Corp. 2014, 2017 27

 Table 7. GET /analytics/ade_rules response codes (continued)
HTTP Response
Code Unique Code Description
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
ADE rules.

Response Description

An array of ADE Rule objects. An ADE Rule object contains the following fields:
v id - Long - The ID of the ADE rule.
v name - String - The name of the ADE rule.
v ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL,
THRESHOLD.
v enabled - Boolean - True if the ADE rule is enabled.
v owner - String - The owner of the ADE rule.

Response Sample
[
{
"enabled": true,
"id": 42,
"name": "String",
"owner": "String",
"type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>"
}
]

GET /analytics/ade_rules/{id}
Retrieves an ADE rule.

Retrieves an ADE rule.

Table 8. GET /analytics/ade_rules/{id} resource details
MIME Type
application/json

Table 9. GET /analytics/ade_rules/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

28 QRadar API Reference Guide

 Table 9. GET /analytics/ade_rules/{id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 10. GET /analytics/ade_rules/{id} response codes

HTTP Response
Code Unique Code Description
200 The ADE rule was retrieved.
404 1002 The ADE rule does not exist.
500 1020 An error occurred during the attempt to retrieve the
ADE rule.

Response Description

The ADE rule after it is retrieved. An ADE Rule object contains the following
fields:
v id - Long - The ID of the ADE rule.
v name - String - The name of the ADE rule.
v ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL,
THRESHOLD.
v enabled - Boolean - True if the ADE rule is enabled.
v owner - String - The owner of the ADE rule.

Response Sample
{
"enabled": true,
"id": 42,
"name": "String",
"owner": "String",
"type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>"
}

POST /analytics/ade_rules/{id}
Updates the ADE rule owner or enabled/disabled only.

Updates the ADE rule owner or enabled/disabled only.

Table 11. POST /analytics/ade_rules/{id} resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 29

 Table 12. POST /analytics/ade_rules/{id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 13. POST /analytics/ade_rules/{id} request body details

MIME
Parameter Data Type Type Description Sample
ade_rule Object application/ null { "id": "1", "name":
json "String", "type": "String",
"owner": "String" }

Table 14. POST /analytics/ade_rules/{id} response codes

HTTP Response
Code Unique Code Description
200 The ADE rule was updated.
403 1009 You do not have the required capabilities to update
the ADE rule.
404 1002 The ADE rule does not exist.
409 1004 The provided user does not have the required
capabilities to own the ADE rule.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
ADE rule.

Response Description
The ADE rule after it is updated. An ADE Rule object contains the following fields:
v id - Long - The ID of the ADE rule.
v name - String - The name of the ADE rule.
v ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL,
THRESHOLD.
v enabled - Boolean - True if the ADE rule is enabled.
v owner - String - The owner of the ADE rule.

Response Sample
{
"enabled": true,
"id": 42,

30 QRadar API Reference Guide

 "name": "String",
"owner": "String",
"type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>"
}

DELETE /analytics/ade_rules/{id}
Deletes an ADE rule. To ensure safe deletion, a dependency check is carried out.
The check might take some time. An asynchronous task is started to do this check.

Deletes an ADE rule. To ensure safe deletion, a dependency check is carried out.
The check might take some time. An asynchronous task is started to do this check.
Table 15. DELETE /analytics/ade_rules/{id} resource details
MIME Type
application/json

Table 16. DELETE /analytics/ade_rules/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 17. DELETE /analytics/ade_rules/{id} response codes

HTTP Response
Code Unique Code Description
202 The ADE rule delete command was accepted and is
in progress.
403 1009 You do not have the required capabilities to delete
the ADE rule.
404 1002 The ADE rule does not exist.
500 1020 An error occurred during the attempt to delete the
ADE rule.

Response Description
A Delete Task Status object and the location header set to the task status url
"/api/analytics/ade_rules/ade_rule_delete_tasks/{task_id}". A Delete Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.

Chapter 6. REST API V8.0 References 31

 v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/ade_rules/{id}/dependents
Retrieves the objects that depend on the ADE rule.

Retrieves the objects that depend on the ADE rule.

Table 18. GET /analytics/ade_rules/{id}/dependents resource details
MIME Type
application/json

Table 19. GET /analytics/ade_rules/{id}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

32 QRadar API Reference Guide

Table 19. GET /analytics/ade_rules/{id}/dependents request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 20. GET /analytics/ade_rules/{id}/dependents response codes

HTTP Response
Code Unique Code Description
202 The ADE rule dependents retrieval was accepted
and is in progress.
404 1002 The ADE rule does not exist.
500 1020 An error occurred during the attempt to initiate the
ADE rule dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url
"/api/analytics/ade_rules/ade_rule_dependents_tasks/{task_id}". A Dependent
Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. the value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.

Chapter 6. REST API V8.0 References 33

 sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,

34 QRadar API Reference Guide

 FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id}
Retrieves the delete the ADE rule task status.

Retrieves the delete ADE rule task status.

Table 21. GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 22. GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 23. GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the
Delete Task Status.

Chapter 6. REST API V8.0 References 35

 Response Description

A Delete Task Status object and the location header set to the task status url
"/api/analytics/ade_rules/ade_rule_delete_tasks/{task_id}". A Delete Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}
Retrieves the dependent the ADE rule task status.

Retrieves the dependent ADE rule task status.

Table 24. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

36 QRadar API Reference Guide

Table 25. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 26. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the
Delete Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/analytics/ade_rules/ade_rule_dependent_tasks/{task_id}". A Dependent
Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects tha were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.

Chapter 6. REST API V8.0 References 37

 status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:

38 QRadar API Reference Guide

 FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}
Cancels a dependent the ADE rule task.

Cancels a dependent ADE rule task.

Table 27. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 28. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 39

 Table 29. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request body
details
MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Table 30. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Dependent Task Status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
Dependent Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/analytics/ade_rules/ade_rule_dependent_tasks/{task_id}". A Dependent
Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.

40 QRadar API Reference Guide

v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

Chapter 6. REST API V8.0 References 41

 PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/
results
Retrieves the ADE rule dependent task results.

Retrieves the ADE rule dependent task results.

Table 31. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results resource
details
MIME Type
application/json

Table 32. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

42 QRadar API Reference Guide

Table 33. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results response
codes
HTTP Response
Code Unique Code Description
200 The ADE rule dependents were retrieved.
404 1002 The dependent task dtatus does not exist.
500 1020 An error occurred during the attempt to retrieve the
ADE rules.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task
has permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of: ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP,
MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,

Chapter 6. REST API V8.0 References 43

 EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE, REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /analytics/building_blocks
Retrieves a list of building block rules.

Retrieves a list of building block rules.

Table 34. GET /analytics/building_blocks resource details
MIME Type
application/json

Table 35. GET /analytics/building_blocks request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

44 QRadar API Reference Guide

Table 35. GET /analytics/building_blocks request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 36. GET /analytics/building_blocks response codes

HTTP Response
Code Unique Code Description
200 The building block rules were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
building block rules.

Response Description

An array of Building Block Rule objects. A Building Block Rule object contains the
following fields:
v id - Long - The ID of the building block rule.
v name - String - The name of the building block rule.
v building_block_type - String - The type of building block rule: EVENT, FLOW,
COMMON, USER.
v enabled - Boolean - True if the building block rule is enabled.
v owner - String - The owner of the building block rule.
v origin - String - The origin of the building block rule: SYSTEM, OVERRIDE,
USER.
v base_capacity - Long - The base capacity of the building block rule in events per
second.
v base_host_id - Long - The ID of the host from which the building block rule's
base capacity was determined.
v average_capacity - Long - The moving average capacity, in EPS, of the building
block rule across all hosts.
v capacity_timestamp - Date - The timestamp, as a Date, since the building block's
capacity values were last updated.

Response Sample
[
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,

Chapter 6. REST API V8.0 References 45

 "seconds": 42,
"time": 42,
"timezone_offset": 42,
"year": 42
},
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM,
OVERRIDE,
USER>",
"owner": "String",
"type": "String <one of: EVENT,
FLOW,
COMMON,
OFFENSE>"
}
]

GET /analytics/building_blocks/building_block_delete_tasks/
{task_id}
Retrieves the delete the building block rule task status.

Retrieves the delete building block rule task status.

Table 37. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} resource
details
MIME Type
application/json

Table 38. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 39. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} response

codes
HTTP Response
Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.

46 QRadar API Reference Guide

 Table 39. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} response
codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the
Delete Task Status.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/analytics/building_blocks/building_block_delete_tasks/{task_id}". A Delete
Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/building_blocks/
building_block_dependent_tasks/{task_id}
Retrieves the dependent the building block rule task status.

Retrieves the dependent building block rule task status.

Chapter 6. REST API V8.0 References 47

 Table 40. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} resource
details
MIME Type
application/json

Table 41. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 42. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id} response

codes
HTTP Response
Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the
Delete Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/analytics/building_blocks/building_block_dependent_tasks/{task_id}". A
Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

48 QRadar API Reference Guide

v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,

Chapter 6. REST API V8.0 References 49

 COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /analytics/building_blocks/
building_block_dependent_tasks/{task_id}
Cancels the dependent the building block rule task.

Cancels the dependent building block rule task.

Table 43. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id}
resource details
MIME Type
application/json

Table 44. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

50 QRadar API Reference Guide

Table 44. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} request
parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 45. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id} request

body details
MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Table 46. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id}

response codes
HTTP Response
Code Unique Code Description
200 The Delete Task Status has been retrieved.
404 1002 The Dependent Task Status does not exist.
409 1004 The task is in a completed state
422 1005 A request parameter is not valid
500 1020 An error occurred during the attempt to update the
Dependent Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/analytics/building_blocks/building_block_dependent_tasks/{task_id}". A
Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.

Chapter 6. REST API V8.0 References 51

 v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation of
the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

52 QRadar API Reference Guide

 PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/building_blocks/
building_block_dependent_tasks/{task_id}/results
Retrieves the building block rule dependent task results.

Retrieves the building block rule dependent task results

Table 47. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results
resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 53

 Table 48. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results
request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 49. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results

response codes
HTTP Response
Code Unique Code Description
200 The building block rule dependents were retrieved.
404 1002 The Dependent Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the
building block rules.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task
has permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of: ARIEL_SAVED_SEARCH,

54 QRadar API Reference Guide

 ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP,
MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE, REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /analytics/building_blocks/{id}
Retrieves a building block rule.

Retrieves a building block rule.

Table 50. GET /analytics/building_blocks/{id} resource details
MIME Type
application/json

Table 51. GET /analytics/building_blocks/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

Chapter 6. REST API V8.0 References 55

 Table 51. GET /analytics/building_blocks/{id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 52. GET /analytics/building_blocks/{id} response codes

HTTP Response
Code Unique Code Description
200 The building block rule was retrieved.
404 1002 The building block rule does not exist.
500 1020 An error occurred during the attempt to retrieve the
building block rule.

Response Description

The building block rule after it is retrieved. A Building Block Rule object contains
the following fields:
v id - Long - The ID of the building block rule.
v name - String - The name of the building block rule.
v building_block_type - String - The type of building block rule: EVENT, FLOW,
COMMON, USER.
v enabled - Boolean - True if the building block rule is enabled.
v owner - String - The owner of the building block rule.
v origin - String - The origin of the building block rule: SYSTEM, OVERRIDE,
USER.
v base_capacity - Long - The base capacity of the building block rule in events per
second.
v base_host_id - Long - The ID of the host from which the building block rule's
base capacity was determined.
v average_capacity - Long - The moving average capacity, in EPS, of the building
block rule across all hosts.
v capacity_timestamp - Date - The timestamp, as a Date, since the building block's
capacity values were last updated.

Response Sample
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": {
"date": 42,
"day": 42,

56 QRadar API Reference Guide

 "hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezone_offset": 42,
"year": 42
},
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM,
OVERRIDE,
USER>",
"owner": "String",
"type": "String <one of: EVENT,
FLOW,
COMMON,
OFFENSE>"
}

POST /analytics/building_blocks/{id}
Updates the building block rule owner or enabled/disabled only.

Updates the building block rule owner or enabled/disabled only.

Table 53. POST /analytics/building_blocks/{id} resource details
MIME Type
application/json

Table 54. POST /analytics/building_blocks/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 55. POST /analytics/building_blocks/{id} request body details

Parameter Data Type MIME Type Description Sample
building_block Object application/ null { "id": "1", "name":
json "String", "type": "String",
"owner": "String" }

Chapter 6. REST API V8.0 References 57

 Table 56. POST /analytics/building_blocks/{id} response codes
HTTP Response
Code Unique Code Description
200 The building block rule was updated.
403 1009 You do not have the required capabilities to update
the building block rule.
404 1002 The building block rule does not exist.
409 1004 The provided user does not have the required
capabilities to own the building block rule.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
building block rule.

Response Description

The building block rule after it is updated. A building block rule object contains
the following fields:
v id - Long - The ID of the building block rule.
v name - String - The name of the building block rule.
v building_block_type - String - The type of building block rule: EVENT, FLOW,
COMMON, USER.
v enabled - Boolean - True if the building block rule is enabled.
v owner - String - The owner of the building block rule.
v origin - String - The origin of the building block rule: SYSTEM, OVERRIDE,
USER.
v base_capacity - Long - The base capacity of the building block rule in events per
second.
v base_host_id - Long - The ID of the host from which the building block rule's
base capacity was determined.
v average_capacity - Long - The moving average capacity, in EPS, of the building
block rule across all hosts.
v capacity_timestamp - Date - The timestamp, as a Date, since the building block's
capacity values were last updated.

Response Sample
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezone_offset": 42,
"year": 42
},
"enabled": true,
"id": 42,
"name": "String",

58 QRadar API Reference Guide

 "origin": "String <one of: SYSTEM,
OVERRIDE,
USER>",
"owner": "String",
"type": "String <one of: EVENT,
FLOW,
COMMON,
OFFENSE>"
}

DELETE /analytics/building_blocks/{id}
Deletes the building block rule. To ensure safe deletion, a dependency check is
carried out. This check might take some time. An asynchronous task to do is
started for this check.

Deletes the building block rule. To ensure safe deletion we check if anything
depends on it, this may take some time. Therefore we start an asynchronous task
to do this.
Table 57. DELETE /analytics/building_blocks/{id} resource details
MIME Type
application/json

Table 58. DELETE /analytics/building_blocks/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 59. DELETE /analytics/building_blocks/{id} response codes

HTTP Response
Code Unique Code Description
202 The building block rule delete command was
accepted and is in progress.
403 1009 You do not have the required capabilities to delete
the building block rule.
404 1002 The building block rule does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
building block rule.

Chapter 6. REST API V8.0 References 59

 Response Description

A Delete Task Status object and the location header set to the task status url
"/api/analytics/building_blocks/building_block_delete_tasks/{task_id}". A Delete
Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/building_blocks/{id}/dependents
Retrieves the objects that depend on the building block rule.

Retrieves the objects that depend on the building block rule

Table 60. GET /analytics/building_blocks/{id}/dependents resource details
MIME Type
application/json

Table 61. GET /analytics/building_blocks/{id}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

60 QRadar API Reference Guide

Table 61. GET /analytics/building_blocks/{id}/dependents request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 62. GET /analytics/building_blocks/{id}/dependents response codes

HTTP Response
Code Unique Code Description
202 The building block rule dependents retrieval was
accepted and is in progress.
404 1002 The building block rule does not exist.
500 1020 An error occurred during the attempt to initiate the
building block rule dependents retrieval task.

Response Description
A Dependents Task Status object and the location header set to the task status url
"/api/analytics/building_blocks/building_block_dependents_tasks/{task_id}". A
Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. the value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.

Chapter 6. REST API V8.0 References 61

 sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,

62 QRadar API Reference Guide

 FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/custom_actions/actions
Retrieves a list of available custom actions.

Retrieves a list of available custom actions.

Table 63. GET /analytics/custom_actions/actions resource details
MIME Type
application/json

Table 64. GET /analytics/custom_actions/actions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 63

 Table 65. GET /analytics/custom_actions/actions response codes
HTTP Response
Code Unique Code Description
200 The requested list of custom actions have been
successfully retrieved.
500 1020 An internal server error occurred while retrieving
custom actions.

Response Description

Array of available custom actions which in turn contain the following fields:
v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
[
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}
]

POST /analytics/custom_actions/actions
Creates a new custom action with the supplied fields.

Creates a new custom action with the supplied fields. The custom action must
contain the following fields:

64 QRadar API Reference Guide

v name - Required - String - Unique name of the custom action within the QRadar
deployment.
v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter
used by the custom action.
v script - Required - Number - Unique ID of the custom action script used by the
custom action.
v parameters - Required - Array - Array of custom action parameters contained
within the custom action. Each Custom action parameter must have the
following fields:
name - Required - String - Name of the custom action parameter. Unique in
the context of the parent custom action.
parameter_type - Required - String - Custom action parameter type. Can be
either fixed or dynamic.
encrypted - Required - Boolean - Designates whether the custom action
parameter value field is stored in an encrypted state.True if encrypted, false
otherwise.
value - Required - String - Value of the custom action parameter. Custom
action parameters with parameter_type fixed can have any value. Custom
action parameters with parameter_type dynamic must have values
corresponding to column names in an Ariel database, for example sourceip.
Ariel database column names are available through the /api/ariel/databases/
{database_name} endpoint.
Table 66. POST /analytics/custom_actions/actions resource details
MIME Type
application/json

Table 67. POST /analytics/custom_actions/actions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 65

 Table 68. POST /analytics/custom_actions/actions request body details
MIME
Parameter Data Type Type Description Sample
custom_action Object application/ Custom action JSON { "description":
json object containing the "String", "interpreter":
supplied fields (see 42, "name": "String",
above for more "parameters": [ {
details). "encrypted": true,
"name": "String",
"parameter_type":
"String", "value":
"String" } ], "script": 42
}

Table 69. POST /analytics/custom_actions/actions response codes

HTTP Response
Code Unique Code Description
201 A new custom action has been successfully created.
422 1005 One or more parameters are invalid in request.
500 1020 An internal server error occurred while posting
custom action.

Response Description

The newly created custom action with the following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,

66 QRadar API Reference Guide

 "name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

GET /analytics/custom_actions/actions/{action_id}
Retrieves a custom action based on the supplied action_id.

Retrieves a custom action based on the supplied action_id.

Table 70. GET /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

Table 71. GET /analytics/custom_actions/actions/{action_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
action_id path Required Number text/plain Long id of the custom
(Integer) action to be retrieved.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 72. GET /analytics/custom_actions/actions/{action_id} response codes

HTTP Response
Code Unique Code Description
200 The requested custom action has been successfully
retrieved.
404 1002 The requested custom action could not be found.
500 1020 An internal server error occurred while retrieving
custom action with supplied action_id.

Response Description

A custom action with containing following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.

Chapter 6. REST API V8.0 References 67

 v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

POST /analytics/custom_actions/actions/{action_id}
Updates an existing custom action.

Updates an existing custom action. The custom action should contain the following
fields:
v id - Required - Number - Unique ID of the custom action within the QRadar
deployment.
v name - Optional - String - Unique name of the custom action within the QRadar
deployment.
v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter
used by the custom action.
v script - Required - Number - Unique ID of the custom action script used by the
custom action.
v parameters - Required - Array - Array of custom action parameters contained
within the custom action. Each Custom action parameter must have the
following fields:
name - Required - String - Name of the custom action parameter. Unique in
the context of the parent custom action.
parameter_type - Optional - String - Custom action parameter type. Can be
either fixed or dynamic.
encrypted - Optional - Boolean - Designates whether the custom action
parameter value field is stored in an encrypted state.True if encrypted, false
otherwise.

68 QRadar API Reference Guide

 value - Optional - String - Value of the custom action parameter. Custom
action parameters with parameter_type fixed can have any value. Custom
action parameters with parameter_type dynamic must have values
corresponding to column names in an Ariel database, for example sourceip.
Ariel database column names are available through the /api/ariel/databases/
{database_name} endpoint.
Table 73. POST /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

Table 74. POST /analytics/custom_actions/actions/{action_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
action_id path Required Number text/plain Number id of the
(Integer) custom action to be
updated.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 75. POST /analytics/custom_actions/actions/{action_id} request body details

MIME
Parameter Data Type Type Description Sample
custom_action Object application/ Custom action JSON { "description":
json object which can "String", "id": 42,
contain the supplied "interpreter": 42,
fields (see above for "name": "String",
more details). "parameters": [ {
"encrypted": true,
"name": "String",
"parameter_type":
"String", "value":
"String" } ], "script": 42
}

Table 76. POST /analytics/custom_actions/actions/{action_id} response codes

HTTP Response
Code Unique Code Description
200 The custom action has been updated.
404 1002 The requested custom action could not be found.
422 1005 One or more parameters are invalid in request.
500 1020 An internal server error occurred while updating
custom action with supplied action_id.

Chapter 6. REST API V8.0 References 69

 Response Description

The updated custom action with the following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

DELETE /analytics/custom_actions/actions/{action_id}
Deletes an existing custom action.

Deletes an existing custom action.

Table 77. DELETE /analytics/custom_actions/actions/{action_id} resource details
MIME Type
text/plain

Table 78. DELETE /analytics/custom_actions/actions/{action_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
action_id path Required Number text/plain Number id of the
(Integer) custom action you wish
to delete.

70 QRadar API Reference Guide

 Table 79. DELETE /analytics/custom_actions/actions/{action_id} response codes
HTTP Response
Code Unique Code Description
204 The custom action has been deleted.
404 1002 The requested custom action could not be found.
500 1020 An internal server error occurred while deleting
custom action with supplied action_id.

Response Description

Empty response with 204 successful response code.

Response Sample

GET /analytics/custom_actions/interpreters
Retrieves a list of available custom action interpreters.

Retrieves a list of available custom action interpreters.

Table 80. GET /analytics/custom_actions/interpreters resource details
MIME Type
application/json

Table 81. GET /analytics/custom_actions/interpreters request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 71

 Table 82. GET /analytics/custom_actions/interpreters response codes
HTTP Response
Code Unique Code Description
200 The requested list of custom action interpreters have
been retrieved.
500 1020 An internal server error occurred while retrieving
available custom action interpreters.

Response Description

Array of available custom action interpreters, each with the following fields:
v id - Number - Unique ID of the custom action interpreter within the QRadar
deployment.
v name - String - Name of the custom action interpreter.

Response Sample
[
{
"id": 42,
"name": "String"
}
]

GET /analytics/custom_actions/interpreters/{interpreter_id}
Retrieves a custom action interpreter based on supplied interpreter_id.

Retrieves a custom action interpreter based on supplied interpreter_id.

Table 83. GET /analytics/custom_actions/interpreters/{interpreter_id} resource details
MIME Type
application/json

Table 84. GET /analytics/custom_actions/interpreters/{interpreter_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
interpreter_id path Required Number text/plain Number id of custom
(Integer) action interpreter to
be retrieved.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get
back in the response.
Fields that are not
named are excluded.
Specify subfields in
brackets and multiple
fields in the same
object are separated
by commas.

72 QRadar API Reference Guide

 Table 85. GET /analytics/custom_actions/interpreters/{interpreter_id} response codes
HTTP Response
Code Unique Code Description
200 The requested custom action interpreter has been
retrieved.
404 1002 The requested custom action interpreter could not be
found.
500 1020 An internal server error occurred while retrieving
custom action interpreter with supplied
interpreter_id.

Response Description

A custom action interpreter with the following fields:

v id - Number - Unique ID of the custom action interpreter within the QRadar
deployment.
v name - String - Name of the custom action interpreter.

Response Sample
{
"id": 42,
"name": "String"
}

GET /analytics/custom_actions/scripts
Retrieves a list of meta-data for available custom action script files.

Retrieves a list of meta-data for available custom action script files.

Table 86. GET /analytics/custom_actions/scripts resource details
MIME Type
application/json

Table 87. GET /analytics/custom_actions/scripts request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 6. REST API V8.0 References 73

 Table 87. GET /analytics/custom_actions/scripts request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 88. GET /analytics/custom_actions/scripts response codes

HTTP Response
Code Unique Code Description
200 The requested custom action script file has been
retrieved.
500 1020 An internal server error occurred while retrieving
available custom action script file meta-data.

Response Description
Array of available custom action script file meta-data, each with the following
fields:
v id - Number - Unique ID of the custom action script file within the QRadar
deployment.
v name - String - Name of the custom action script file.

Response Sample
[
{
"file_name": "String",
"id": 42
}
]

POST /analytics/custom_actions/scripts
Creates a new custom action script file. Newly created custom action script files
require a deployment before using.

Creates a new custom action script file. Newly created custom action script files
require a deployment before using. Users can include an optional HTTP header
file_name containing the custom action script file name. If not specified this is
defaulted to the script id of the uploaded file.
Table 89. POST /analytics/custom_actions/scripts resource details
MIME Type
application/json

74 QRadar API Reference Guide

 Table 90. POST /analytics/custom_actions/scripts request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 91. POST /analytics/custom_actions/scripts request body details

MIME
Parameter Data Type Type Description Sample
file File application/ Required. The custom File
octet-stream action script file. Must
be supplied with MIME
type
application/octet-stream.

Table 92. POST /analytics/custom_actions/scripts response codes

HTTP Response
Code Unique Code Description
201 A custom action script file has been created.
500 1020 An internal server error occurred while posting
custom action script file.

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script within the QRadar
deployment.
v name - String - Name of the custom action script.

Response Sample
{
"file_name": "String",
"id": 42
}

GET /analytics/custom_actions/scripts/{script_id}
Retrieves meta-data of a custom action script file based on supplied script_id.

Retrieves meta-data of a custom action script file based on supplied script_id.

Table 93. GET /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 75

 Table 94. GET /analytics/custom_actions/scripts/{script_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
script_id path Required Number text/plain Number id of the
(Integer) custom action script
file.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 95. GET /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response
Code Unique Code Description
200 The requested custom action script file has been
retrieved.
404 1002 The requested custom action script file could not be
found.
500 1020 An internal server error occurred while retrieving
custom action script file meta-data with supplied
script_id.

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script file within the QRadar
deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

POST /analytics/custom_actions/scripts/{script_id}
Updates an existing custom action script file. Updated custom action script files
require a deployment before using.

Updates an existing custom action script file. Updated custom action script files
require a deployment before using. Users can include an optional HTTP header
file_name containing the custom action script file name. If not specified this is
defaulted to the script id of the uploaded file.

76 QRadar API Reference Guide

Table 96. POST /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Table 97. POST /analytics/custom_actions/scripts/{script_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
script_id path Required Number text/plain Number id of the
(Integer) custom action script file
to be updated.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 98. POST /analytics/custom_actions/scripts/{script_id} request body details

MIME
Parameter Data Type Type Description Sample
file File application/ Required. The custom File
octet-stream action script file. Must
be supplied with MIME
type
application/octet-stream.

Table 99. POST /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response
Code Unique Code Description
200 The custom action script file has been updated.
404 1002 The requested custom action script file could not be
found.
500 1020 An internal server error occurred while updating
custom action script file with supplied script_id.

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script file within the QRadar
deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

Chapter 6. REST API V8.0 References 77

 DELETE /analytics/custom_actions/scripts/{script_id}
Deletes an existing custom action script file.

Deletes an existing custom action script file.

Table 100. DELETE /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
text/plain

Table 101. DELETE /analytics/custom_actions/scripts/{script_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
script_id path Required Number text/plain Number id of the
(Integer) custom action script file
to be deleted.

Table 102. DELETE /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response
Code Unique Code Description
204 The custom action script file has been deleted.
404 1002 The requested custom action script file could not be
found.
422 1005 The requested custom action script file is tied to an
existing custom action.
500 1020 An internal server error occurred while deleting
custom action script file with supplied script_id.

Response Description

Empty response with a 204 successful response code.

Response Sample

GET /analytics/rule_groups
Retrieves a list of the rule groups.

Retrieves a list of the rule groups.

Table 103. GET /analytics/rule_groups resource details
MIME Type
application/json

78 QRadar API Reference Guide

Table 104. GET /analytics/rule_groups request parameter details
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 105. GET /analytics/rule_groups response codes

HTTP Response
Code Unique Code Description
200 The rule rroups were returned.
500 1020 An error occurred during the attempt to retrieve the
rule groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Chapter 6. REST API V8.0 References 79

 Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /analytics/rule_groups/{group_id}
Retrieves a rule group.

Retrieves a rule group.

Table 106. GET /analytics/rule_groups/{group_id} resource details
MIME Type
application/json

Table 107. GET /analytics/rule_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

80 QRadar API Reference Guide

Table 108. GET /analytics/rule_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
200 The rule group was retrieved.
404 1002 The rule group does not exist.
500 1020 An error occurred during the attempt to retrieve the
rule group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Chapter 6. REST API V8.0 References 81

 POST /analytics/rule_groups/{group_id}
Updates the owner of a rule group.

Updates the owner of a rule group.

Table 109. POST /analytics/rule_groups/{group_id} resource details
MIME Type
application/json

Table 110. POST /analytics/rule_groups/{group_id} request parameter details

Data
Parameter Type Optionality Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

Table 111. POST /analytics/rule_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/json Required - Group object {
with the owner set to a "child_groups": [ 42 ],
valid deployed user.
"child_items": [ "String" ],
"description": "String",
"id": 42,
"level": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH _GROUP,
FLOW_SAVED_SEARCH _GROUP,
OFFENSE_SAVED_SEARCH _GROUP,
QRM_SAVED_SEARCH _GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH
_GROUP,
SIMULATION_SAVED_SEARCH
_GROUP,
TOPOLOGY_SAVED_SEARCH
_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED _SEARCH
_GROUP>" }

82 QRadar API Reference Guide

Table 112. POST /analytics/rule_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
200 The rule group was updated.
404 1002 The rule group does not exist.
409 1004 The provided user does not have the required
capabilities to own the rule group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
rule group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,

Chapter 6. REST API V8.0 References 83

 TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /analytics/rule_groups/{group_id}
Deletes a rule. To ensure safe deletion, a dependency check is carried out. This
check might take some time. An asynchronous task to do is started for this check.

Deletes a rule. To ensure safe deletion, a dependency check is carried out. This
check might take some time. An asynchronous task to do is started for this check.
Table 113. DELETE /analytics/rule_groups/{group_id} resource details
MIME Type
text/plain

Table 114. DELETE /analytics/rule_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Table 115. DELETE /analytics/rule_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
202 The rule delete command was accepted and is in
progress.
404 1002 The rule does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
rule.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/analytics/rules/rule_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

84 QRadar API Reference Guide

 Response Sample

GET /analytics/rules
Retrieves a list of rules.

Retrieves a list of rules.

Table 116. GET /analytics/rules resource details
MIME Type
application/json

Table 117. GET /analytics/rules request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 118. GET /analytics/rules response codes

HTTP Response
Code Unique Code Description
200 The rules were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
rules.

Response Description

An array of rule objects. A rule object contains the following fields:

v id - Long - The ID of the rule.
v name - String - The name of the rule.

Chapter 6. REST API V8.0 References 85

 v type - String - The type of rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the rule is enabled.
v owner - String - The owner of the rule.
v origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.
v base_capacity - Long - The base capacity of the rule in events per second.
v base_host_id - Long - The ID of the host from which the rule's base capacity
was determined
v average_capacity - Long - The moving average capacity, in EPS, of the rule
across all hosts.
v capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the
rule's capacity values were last updated.

Response Sample
[
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezone_offset": 42,
"year": 42
},
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM,
OVERRIDE,
USER>",
"owner": "String",
"type": "String <one of: EVENT,
FLOW,
COMMON,
OFFENSE>"
}
]

GET /analytics/rules/rule_delete_tasks/{task_id}
Retrieves the delete the rule task status.

Retrieves the delete rule task status.

Table 119. GET /analytics/rules/rule_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 120. GET /analytics/rules/rule_delete_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

86 QRadar API Reference Guide

Table 120. GET /analytics/rules/rule_delete_tasks/{task_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 121. GET /analytics/rules/rule_delete_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/analytics/rules/rule_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,

Chapter 6. REST API V8.0 References 87

 CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/rules/rule_dependent_tasks/{task_id}
Retrieves the dependent rule task status.

Retrieves the dependent rule task status.

Table 122. GET /analytics/rules/rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 123. GET /analytics/rules/rule_dependent_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 124. GET /analytics/rules/rule_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/analytics/rules/rule_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.

88 QRadar API Reference Guide

v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation of
the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. the value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

Chapter 6. REST API V8.0 References 89

 PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /analytics/rules/rule_dependent_tasks/{task_id}
Cancels the dependent the rule task.

Cancels the dependent rule task.

Table 125. POST /analytics/rules/rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 126. POST /analytics/rules/rule_dependent_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

90 QRadar API Reference Guide

Table 126. POST /analytics/rules/rule_dependent_tasks/{task_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 127. POST /analytics/rules/rule_dependent_tasks/{task_id} request body details

Data MIME
Parameter Type Type Description Sample
task Object application/null { "status": "String <one of: CANCELLED,
json CANCELING, CANCEL_REQUESTED,
COMPLETED, CONFLICT, EXCEPTION,
INITIALIZING, INTERRUPTED,
PAUSED, PROCESSING, QUEUED,
RESUMING>" }

Table 128. POST /analytics/rules/rule_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/analytics/rules/rule_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the
task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.

Chapter 6. REST API V8.0 References 91

 v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,

92 QRadar API Reference Guide

 "progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/rules/rule_dependent_tasks/{task_id}/results
Retrieves the rule dependent task results.

Retrieves the rule dependent task results.

Table 129. GET /analytics/rules/rule_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 130. GET /analytics/rules/rule_dependent_tasks/{task_id}/results request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

Chapter 6. REST API V8.0 References 93

 Table 130. GET /analytics/rules/rule_dependent_tasks/{task_id}/results request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 131. GET /analytics/rules/rule_dependent_tasks/{task_id}/results response codes

HTTP Response
Code Unique Code Description
200 The rule dependents were retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
rules.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task
has permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,

94 QRadar API Reference Guide

 QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP,
MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE, REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /analytics/rules/{id}
Retrieves a rule.

Retrieves a rule.
Table 132. GET /analytics/rules/{id} resource details
MIME Type
application/json

Table 133. GET /analytics/rules/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

Chapter 6. REST API V8.0 References 95

 Table 133. GET /analytics/rules/{id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 134. GET /analytics/rules/{id} response codes

HTTP Response
Code Unique Code Description
200 The rule was retrieved.
404 1002 The rule does not exist.
500 1020 An error occurred during the attempt to retrieve the
rule.

Response Description

The rule after it is retrieved. A rule object contains the following fields:
v id - Long - The ID of the rule.
v name - String - The name of the rule.
v type - String - The type of rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the rule is enabled.
v owner - String - The owner of the rule.
v origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.
v base_capacity - Long - The base capacity of the rule in events per second.
v base_host_id - Long - The ID of the host from which the rule's base capacity
was determined.
v average_capacity - Long - The moving average capacity, in EPS, of the rule
across all hosts.
v capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the
rule's capacity values were last updated.

Response Sample
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,

96 QRadar API Reference Guide

 "timezone_offset": 42,
"year": 42
},
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM,
OVERRIDE,
USER>",
"owner": "String",
"type": "String <one of: EVENT,
FLOW,
COMMON,
OFFENSE>"
}

POST /analytics/rules/{id}
Updates the rule owner or enabled/disabled only.

Updates the rule owner or enabled/disabled only.

Table 135. POST /analytics/rules/{id} resource details
MIME Type
application/json

Table 136. POST /analytics/rules/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 137. POST /analytics/rules/{id} request body details

MIME
Parameter Data Type Type Description Sample
rule Object application/ Required - Rule object. { "enabled": true, "id":
json 42, "name": "String",
"origin": "String <one of:
SYSTEM, OVERRIDE,
USER>", "owner":
"String", "type": "String
<one of: EVENT, FLOW,
COMMON, OFFENSE>"
}

Chapter 6. REST API V8.0 References 97

 Table 138. POST /analytics/rules/{id} response codes
HTTP Response
Code Unique Code Description
200 The rule was updated.
403 1009 You do not have the required capabilities to update
the rule.
404 1002 The rule does not exist.
409 1004 The provided user does not have the required
capabilities to own the rule.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
rule.

Response Description

The rule after it is updated. A rule object contains the following fields:
v id - Long - The ID of the rule.
v name - String - The name of the rule.
v type - String - The type of rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the rule is enabled.
v owner - String - The owner of the rule.
v origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.
v base_capacity - Long - The base capacity of the rule in events per second.
v base_host_id - Long - The ID of the host from which the rule's base capacity
was determined.
v average_capacity - Long - The moving average capacity, in EPS, of the rule
across all hosts.
v capacity_timestamp - Long - The epoch timestamp, in milliseconds, since the
rule's capacity values were last updated.

Response Sample
{
"average_capacity": 42,
"base_capacity": 42,
"base_host_id": 42,
"capacity_timestamp": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezone_offset": 42,
"year": 42
},
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM,
OVERRIDE,
USER>",
"owner": "String",
"type": "String <one of: EVENT,

98 QRadar API Reference Guide

 FLOW,
COMMON,
OFFENSE>"
}

DELETE /analytics/rules/{id}
Delete the rule. To ensure safe deletion, a dependency check is carried out. This
check might take some time. An asynchronous task to do is started for this check.

Deletes a rule. To ensure safe deletion, a dependency check is carried out. This
check might take some time. An asynchronous task to do is started for this check.
Table 139. DELETE /analytics/rules/{id} resource details
MIME Type
application/json

Table 140. DELETE /analytics/rules/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 141. DELETE /analytics/rules/{id} response codes

HTTP Response
Code Unique Code Description
202 The rule delete command was accepted and is in
progress.
403 1009 You do not have the required capabilities to delete
the rule.
404 1002 The rule does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
rule.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/analytics/rules/rule_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.

Chapter 6. REST API V8.0 References 99

 v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/rules/{id}/dependents
Retrieves the objects that depend on the rule.

Retrieves the objects that depend on the rule.

Table 142. GET /analytics/rules/{id}/dependents resource details
MIME Type
application/json

Table 143. GET /analytics/rules/{id}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

100 QRadar API Reference Guide

Table 143. GET /analytics/rules/{id}/dependents request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 144. GET /analytics/rules/{id}/dependents response codes

HTTP Response
Code Unique Code Description
202 The rule dependents retrieval was accepted and is in
progress.
403 1009 null
404 1002 The rule does not exist.
500 1020 An error occurred during the attempt to initiate the
rule dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url
"/api/analytics/rules/rule_dependents_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation of
the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. the value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of Task Component objects. A Task
Component object contains the following fields:
message - String - The localized sub-task status message.

Chapter 6. REST API V8.0 References 101

 status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:

102 QRadar API Reference Guide

 FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

Ariel endpoints
Use the references for REST API V8.0 Ariel endpoints.

GET /ariel/databases
Retrieves a list of available Ariel database names

Retrieves a list of available Ariel databases.

Table 145. GET /ariel/databases resource details
MIME Type
application/json

Table 146. GET /ariel/databases request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 147. GET /ariel/databases response codes

HTTP Response
Code Unique Code Description
200 The database list was retrieved.

Chapter 6. REST API V8.0 References 103

 Response Description

The names of the available Ariel databases.

Response Sample
[
"String"
]

GET /ariel/databases/{database_name}
Retrieves the columns that are defined for a specific Ariel database.

Retrieves the columns that are defined for the specified Ariel database. This is the
set of columns that can be explicitly named in the column list of a SELECT query.
Table 148. GET /ariel/databases/{database_name} resource details
MIME Type
application/json

Table 149. GET /ariel/databases/{database_name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
database_name path Required String text/plain Required. The name of
the Ariel database that
contains the columns
that you want to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in a
list base on the contents
of various fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements that
are returned in the list to
a specified range. The
list is indexed starting at
zero.

Table 150. GET /ariel/databases/{database_name} response codes

HTTP Response
Code Unique Code Description
200 The database columns were retrieved.
404 1002 The database does not exist.

104 QRadar API Reference Guide

 Response Description

A list of columns that are defined for the specified database. Multiple properties of
each column are returned. For example, the column name or an indication that the
column is indexable.

Response Sample
{
"columns": [
{
"argument_type": "String",
"indexable": true,
"name": "String"
}
]
}

GET /ariel/event_saved_search_groups
Retrieves a list the event Ariel saved search groups.

Retrieves a list the event Ariel saved search groups.

Table 151. GET /ariel/event_saved_search_groups resource details
MIME Type
application/json

Table 152. GET /ariel/event_saved_search_groups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Chapter 6. REST API V8.0 References 105

 Table 153. GET /ariel/event_saved_search_groups response codes
HTTP Response
Code Unique Code Description
200 The event Ariel saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the
event Ariel saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group ids.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

106 QRadar API Reference Guide

GET /ariel/event_saved_search_groups/{group_id}
Retrieves an event Ariel saved search group.

Retrieves an event Ariel saved search group.

Table 154. GET /ariel/event_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 155. GET /ariel/event_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 156. GET /ariel/event_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The event Ariel saved search group was retrieved.
404 1002 The vent Ariel saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the
event Ariel saved search groups.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Chapter 6. REST API V8.0 References 107

 Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /ariel/event_saved_search_groups/{group_id}
Updates the owner of an event Ariel saved search group.

Updates the owner of an event Ariel saved search group.

Table 157. POST /ariel/event_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 158. POST /ariel/event_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

108 QRadar API Reference Guide

Table 159. POST /ariel/event_saved_search_groups/{group_id} request body details
MIME
Parameter Data Type Type Description Sample
group Object application/Required - Group {
json object with the "child_groups": [ 42 ],
owner set to a valid
deployed user. "child_items": [ "String" ],
"description": "String",
"id": 42,
"level": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH _GROUP,
FLOW_SAVED_SEARCH _GROUP,
OFFENSE_SAVED_SEARCH _GROUP,
QRM_SAVED_SEARCH _GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH
_GROUP,
SIMULATION_SAVED_SEARCH
_GROUP,
TOPOLOGY_SAVED_SEARCH
_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED _SEARCH
_GROUP>" }

Table 160. POST /ariel/event_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The event Ariel saved search group was updated.
404 1002 The event Ariel saved search group does not exist.
409 1004 The provided user does not have the required
capabilities to own the Eevent Ariel saved search
group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
event Ariel saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The id of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.

Chapter 6. REST API V8.0 References 109

 v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group ids.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /ariel/event_saved_search_groups/{group_id}
Deletes an event Ariel saved search group.

Deletes an event Ariel saved search group.

Table 161. DELETE /ariel/event_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 162. DELETE /ariel/event_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

110 QRadar API Reference Guide

 Table 163. DELETE /ariel/event_saved_search_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
204 The event Ariel saved search group was deleted.
404 1002 The event Ariel saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete
theevent Ariel saved search group.

Response Description

Response Sample

GET /ariel/flow_saved_search_groups
Retrieves a list of flow Ariel saved search groups.

Retrieves a list of flow Ariel saved search groups.

Table 164. GET /ariel/flow_saved_search_groups resource details
MIME Type
application/json

Table 165. GET /ariel/flow_saved_search_groups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Chapter 6. REST API V8.0 References 111

 Table 166. GET /ariel/flow_saved_search_groups response codes
HTTP Response
Code Unique Code Description
200 The Retrieves a list of flow Ariel saved search
groups were returned.
500 1020 An error occurred during the attempt to retrieve the
flow Ariel saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

112 QRadar API Reference Guide

GET /ariel/flow_saved_search_groups/{group_id}
Retrieves a flow Ariel saved search group.

Retrieves a flow Ariel saved search group.

Table 167. GET /ariel/flow_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 168. GET /ariel/flow_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 169. GET /ariel/flow_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The flow Ariel saved search group was retrieved.
404 1002 The flow Ariel saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the
flow Ariel saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Chapter 6. REST API V8.0 References 113

 Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /ariel/flow_saved_search_groups/{group_id}
Updates the owner of a flow Ariel saved search group.

Updates the owner of a flow Ariel saved search group.

Table 170. POST /ariel/flow_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 171. POST /ariel/flow_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

114 QRadar API Reference Guide

Table 172. POST /ariel/flow_saved_search_groups/{group_id} request body details
MIME
Parameter Data Type Type Description Sample
group Object application/Required - Group {
json object with the "child_groups": [ 42 ],
owner set to a valid
deployed user. "child_items": [ "String" ],
"description": "String",
"id": 42,
"level": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH _GROUP,
FLOW_SAVED_SEARCH _GROUP,
OFFENSE_SAVED_SEARCH _GROUP,
QRM_SAVED_SEARCH _GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH
_GROUP,
SIMULATION_SAVED_SEARCH
_GROUP,
TOPOLOGY_SAVED_SEARCH
_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED _SEARCH
_GROUP>" }

Table 173. POST /ariel/flow_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The flow Ariel saved search group was updated.
404 1002 The flow Ariel saved search group does not exist.
409 1004 The provided user does not have the required
capabilities to own the flow Ariel saved search
group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
flow Ariel saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.

Chapter 6. REST API V8.0 References 115

 v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /ariel/flow_saved_search_groups/{group_id}
Deletes a flow Ariel saved search group.

Deletes a flow Ariel saved search group.

Table 174. DELETE /ariel/flow_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 175. DELETE /ariel/flow_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

116 QRadar API Reference Guide

 Table 176. DELETE /ariel/flow_saved_search_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
204 The flow Ariel saved search group was deleted.
404 1002 The flow Ariel saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
flow Ariel saved search group.

Response Description

Response Sample

GET /ariel/saved_search_delete_tasks/{task_id}
Retrieves the delete the Ariel saved search task status.

Retrieves the delete Ariel saved search task status.

Table 177. GET /ariel/saved_search_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 178. GET /ariel/saved_search_delete_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 179. GET /ariel/saved_search_delete_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status was exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Chapter 6. REST API V8.0 References 117

 Response Description

A Delete Task Status object and the location header set to the task status url
"/api/ariel/saved_search_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /ariel/saved_search_dependent_tasks/{task_id}
Retrieves the dependent the Ariel saved search task status.

Retrieves the dependent Ariel saved search task status.

Table 180. GET /ariel/saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 181. GET /ariel/saved_search_dependent_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

118 QRadar API Reference Guide

Table 181. GET /ariel/saved_search_dependent_tasks/{task_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 182. GET /ariel/saved_search_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/ariel/saved_search_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the
task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.

Chapter 6. REST API V8.0 References 119

 sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,

120 QRadar API Reference Guide

 FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /ariel/saved_search_dependent_tasks/{task_id}
Cancels the dependent Ariel saved search task.

Cancels the dependent Ariel saved search task.

Table 183. POST /ariel/saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 184. POST /ariel/saved_search_dependent_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 121

 Table 185. POST /ariel/saved_search_dependent_tasks/{task_id} request body details
MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Table 186. POST /ariel/saved_search_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/ariel/saved_search_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the
task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. the vaalue is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.

122 QRadar API Reference Guide

v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

Chapter 6. REST API V8.0 References 123

 PROCESSING,
QUEUED,
RESUMING>"
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /ariel/saved_search_dependent_tasks/{task_id}/results
Retrieves the Ariel saved search dependent task results.

Retrieves the Ariel saved search dependent task results.

Table 187. GET /ariel/saved_search_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 188. GET /ariel/saved_search_dependent_tasks/{task_id}/results request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 189. GET /ariel/saved_search_dependent_tasks/{task_id}/results response codes

HTTP Response
Code Unique Code Description
200 The Ariel saved search dependents were retrieved.

124 QRadar API Reference Guide

Table 189. GET /ariel/saved_search_dependent_tasks/{task_id}/results response
codes (continued)
HTTP Response
Code Unique Code Description
404 1002 The Dependent Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the
Ariel saved searches.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource. ( Default
resources can have localized names )
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task
has permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,

Chapter 6. REST API V8.0 References 125

 FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /ariel/saved_searches
Retrieves a list of Ariel saved searches.

Retrieves a list of Ariel saved searches.

Table 190. GET /ariel/saved_searches resource details
MIME Type
application/json

Table 191. GET /ariel/saved_searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

126 QRadar API Reference Guide

 Table 191. GET /ariel/saved_searches request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 192. GET /ariel/saved_searches response codes

HTTP Response
Code Unique Code Description
200 The Ariel saved searches were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
Ariel Saved Searches.

Response Description

An array of Ariel Saved Search objects. An Ariel Saved Search object contains the
following fields:
v id - Long - The ID of the ariel saved search.
v uuid - String - The uuid of the Ariel saved search.
v name - String - The name of the Ariel saved search.
v database - String - The database of the Ariel saved search, events or flows.
v isShared - Boolean - True if the Ariel saved search is shared with other users.
v owner - String - The owner of the Ariel saved search.

Response Sample
[
{
"database": "String <one of: EVENTS, FLOWS>",
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String",
"uid": "String"
}
]

GET /ariel/saved_searches/{id}
Retrieves an Ariel saved search.

Retrieves an Ariel saved search.

Table 193. GET /ariel/saved_searches/{id} resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 127

 Table 194. GET /ariel/saved_searches/{id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 195. GET /ariel/saved_searches/{id} response codes

HTTP Response
Code Unique Code Description
200 The Ariel saved search was retrieved.
404 1002 The Ariel saved search does not exist.
500 1020 An error occurred during the attempt to retrieve the
Ariel Saved Search.

Response Description

The Ariel saved search after it is retrieved. An Ariel Saved Search object contains
the following fields:
v id - Long - The ID of the Ariel saved search.
v uuid - String - The uuid of the Ariel saved search.
v name - String - The name of the Ariel saved search.
v database - String - The database of the Ariel saved search, events or flows.
v isShared - Boolean - True if the Ariel saved search is shared with other users.
v owner - String - The owner of the Ariel saved search.

Response Sample
{
"database": "String <one of: EVENTS, FLOWS>",
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String",
"uid": "String"
}

POST /ariel/saved_searches/{id}
Updates the Ariel saved search owner only.

Updates the Ariel saved search owner only.

128 QRadar API Reference Guide

Table 196. POST /ariel/saved_searches/{id} resource details
MIME Type
application/json

Table 197. POST /ariel/saved_searches/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 198. POST /ariel/saved_searches/{id} request body details

MIME
Parameter Data Type Type Description Sample
saved_search Object application/ null { "id": "1", "name":
json "String", "database":
"String", "is_shared":
true, "owner": "String"
}

Table 199. POST /ariel/saved_searches/{id} response codes

HTTP Response
Code Unique Code Description
200 The Ariel saved search was updated.
403 1009 You do not have the required capabilities to update
the Ariel Saved Search.
404 1002 The Ariel saved search does not exist.
409 1004 The provided user does not have the required
capabilities to own the Ariel saved search.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
Ariel Saved Search.

Response Description

The Ariel saved search after it has been updated. An Ariel Saved Search object
contains the following fields:
v id - Long - The ID of the Ariel saved search.
v uuid - String - The uuid of the Ariel saved search.
v name - String - The name of the Ariel saved search.

Chapter 6. REST API V8.0 References 129

 v database - String - The database of the Ariel saved search, events or flows.
v isShared - Boolean - True if the Ariel saved search is shared with other users.
v owner - String - The owner of the Ariel saved search.

Response Sample
{
"database": "String <one of: EVENTS, FLOWS>",
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String",
"uid": "String"
}

DELETE /ariel/saved_searches/{id}
Deletes an Ariel saved search. To ensure safe deletion, a dependency check is
carried out. The check might take some time. An asynchronous task is started to
do this check.

Deletes an Ariel saved search. To ensure safe deletion, a dependency check is

carried out. The check might take some time. An asynchronous task is started to
do this check.
Table 200. DELETE /ariel/saved_searches/{id} resource details
MIME Type
application/json

Table 201. DELETE /ariel/saved_searches/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 202. DELETE /ariel/saved_searches/{id} response codes

HTTP Response
Code Unique Code Description
202 The Ariel saved search delete command was
accepted and is in progress.
403 1009 You do not have the required capabilities to delete
the Ariel saved search.
404 1002 The Ariel saved search does not exist.

130 QRadar API Reference Guide

 Table 202. DELETE /ariel/saved_searches/{id} response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred during the attempt to delete the
Ariel Saved Search.

Response Description
A Delete Task Status object and the location header set to the task status url
"/api/ariel/saved_search_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /ariel/saved_searches/{id}/dependents
Retrieves the objects that depend on the Ariel saved search.

Retrieves the objects that depend on the Ariel saved search.

Chapter 6. REST API V8.0 References 131

 Table 203. GET /ariel/saved_searches/{id}/dependents resource details
MIME Type
application/json

Table 204. GET /ariel/saved_searches/{id}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 205. GET /ariel/saved_searches/{id}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Ariel saved search dependents retrieval was
accepted and is in progress
404 1002 The Ariel saved search does not exist
500 1020 An error occurred during the attempt to initiate the
Ariel Saved Search dependents retrieval task

Response Description

A Dependents Task Status object and the location header set to the task status url
"/api/ariel/saved_search_dependents_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.

132 QRadar API Reference Guide

v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,

Chapter 6. REST API V8.0 References 133

 INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /ariel/searches
Retrieves the list of Ariel searches. Search IDs for completed and active searches
are returned.

Retrieves the list of Ariel searches. This includes search IDs for completed and
active searches.
Table 206. GET /ariel/searches resource details
MIME Type
application/json

Table 207. GET /ariel/searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
db_name query Optional String text/plain Optional - The name of
the Ariel database to
retrieve the list of Ariel
searches.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

134 QRadar API Reference Guide

 Table 207. GET /ariel/searches request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 208. GET /ariel/searches response codes

HTTP Response
Code Unique Code Description
200 The search list was retrieved.
500 1020 An error occurred during the attempt to retrieve the
list of searches.
503 1010 The ariel server might be temporarily unavailable or
offline. Please try again later.

Response Description

A list of search IDs.

Response Sample
[
"String"
]

POST /ariel/searches
Creates a new asynchronous Ariel search.

Creates a new Ariel search as specified by the Ariel Query Language (AQL) query
expression. Searches are executed asynchronously. A reference to the search ID is
returned and should be used in subsequent API calls to determine the status of the
search and retrieve the results once it is complete.

This endpoint only accepts SELECT query expressions.

Queries are applied to the range of data in a certain time interval. By default this
time interval is the last 60 seconds. An alternative time interval can be specified by
specifying them as part of the query expression. For further information, see the
AQL reference guide.
Table 209. POST /ariel/searches resource details
MIME Type
application/json

Table 210. POST /ariel/searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
query_expression query Required String text/plain Required - The AQL
query to execute.

Chapter 6. REST API V8.0 References 135

 Table 211. POST /ariel/searches response codes
HTTP Response
Code Unique Code Description
201 A new Ariel search was successfully created.
409 1004 The search cannot be created. The requested search
ID that was provided in the query expression is
already in use. Please use a unique search ID (or
allow one to be generated).
422 2000 The query_expression contains invalid AQL syntax.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to create a
new search.
503 1010 The Ariel server might be temporarily unavailable or
offline. Please try again later.

Response Description

Information about the specified search, including the search ID. Use the search ID
to access or manipulate the search with the other API endpoints. If the exact search
being created was already recently created, the response message will return a
reference to the original search ID rather than creating a new search.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,

136 QRadar API Reference Guide

 "query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

GET /ariel/searches/{search_id}
Retrieves information about an Ariel search.

Retrieve status information for a search, based on the search ID parameter. The
same informational fields are returned regardless of whether the search is in
progress or is complete.
Table 212. GET /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 213. GET /ariel/searches/{search_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain Required. The identifier
for an Ariel search.

Table 214. GET /ariel/searches/{search_id} response codes

HTTP Response
Code Unique Code Description
200 The search information was retrieved.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
search information.
503 1010 The Ariel server might be temporarily unavailable or
offline. Please try again later.

Chapter 6. REST API V8.0 References 137

 Response Description

Information about the specified search, including the search status.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

138 QRadar API Reference Guide

POST /ariel/searches/{search_id}
Updates an Ariel search.

Updates details for an Ariel search. You can update searches in the following ways:
v To cancel an active search, set the status parameter to CANCELED. This stops
the search and keeps any search results that were collected before the search was
canceled.
v The results for a completed search can be saved by setting the save_results
parameter to true. This ensures that the search is not automatically removed
when it expires in accordance with the retention policy.

The Ariel server uses an internal retention policy to manage available disk space.
Searches might be deleted automatically, according to the settings of the retention
policy. Searches with saved results are not automatically reclaimed by the server
and are therefore retained. A search can be explicitly deleted by using the DELETE
/searches/{search_id} endpoint.

Note: Saving too many search results might result in insufficient disk space to
process new searches.
Table 215. POST /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 216. POST /ariel/searches/{search_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain Required. The ID of the
search to update.
status query Optional String text/plain Optional. The only
accepted value is
CANCELED. If this
value is provided, the
search is canceled.
save_results query Optional String text/plain Optional. The only
accepted value is true.
If this value is
provided, the search
results are not deleted
by the search expiration
removal process. If
status parameter was
provided, this
parameter is not
checked and silently
ignored.

Table 217. POST /ariel/searches/{search_id} response codes

HTTP Response
Code Unique Code Description
200 The search was updated.
404 1002 The search does not exist.

Chapter 6. REST API V8.0 References 139

 Table 217. POST /ariel/searches/{search_id} response codes (continued)
HTTP Response
Code Unique Code Description
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
search.
503 1010 The Ariel server might be temporarily unavailable or
offline. Please try again later.

Response Description

Information about the specified search that was updated.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{

140 QRadar API Reference Guide

 "sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

DELETE /ariel/searches/{search_id}
Deletes an Ariel search.

Deletes an Ariel search. This discards any results that were collected and stops the
search if it is in progress. This search is deleted regardless of whether the results
were saved.
Table 218. DELETE /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 219. DELETE /ariel/searches/{search_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain Required - The search
ID of the search to
delete.

Table 220. DELETE /ariel/searches/{search_id} response codes

HTTP Response
Code Unique Code Description
202 The delete request has been accepted.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to delete the
search.
503 1010 The ariel server might be temporarily unavailable or
offline. Please try again later.

Response Description

Information about the deleted search.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,

Chapter 6. REST API V8.0 References 141

 "error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

GET /ariel/searches/{search_id}/results
Retrieves search results in the requested format.

Retrieve the results of the Ariel search that is identified by the search ID. The
Accepts request header indicates the format of the result. The formats are RFC
compliant and can be JSON, CSV, XML, or tabular text.

By default, all query result records are returned. To restrict the results to a
contiguous subset of the records, you can supply a Range header to specify the
inclusive range of records to be returned.

142 QRadar API Reference Guide

This end-point works with query results that are generated by AQL query
expressions. This endpoint might not work as expected for results that are
generated by other means. Search results might not be retrievable for searches that
are created on the Console.

The response samples are for the following query: Select sourceIP, destinationIP
from events.
Table 221. GET /ariel/searches/{search_id}/results resource details
MIME Type
application/json application/csv text/table application/xml

Table 222. GET /ariel/searches/{search_id}/results request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain The ID of the search
criteria for the returned
results.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 223. GET /ariel/searches/{search_id}/results response codes

HTTP Response
Code Unique Code Description
200 The search results were retrieved.
404 1002 The search does not exist.
404 1003 Search results not found. The search is still in
progress.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
search results.
503 1010 The Ariel server might be temporarily unavailable or
offline. Please try again later.

Response Description

The search results for the specified search ID. The format that is used to
encapsulate the data depends on the format specified in the Accept header for this
request.

Response Sample
{
"events": [
{
"sourceIP": "1.1.1.1",
"destinationIP": "127.0.0.1"
},

Chapter 6. REST API V8.0 References 143

 {
"sourceIP": "1.1.1.1",
"destinationIP": "127.0.0.1"
}
]
}

Asset model endpoints

Use the references for REST API V8.0 Asset Model endpoints.

GET /asset_model/assets
List all assets found in the model.
Table 224. GET /asset_model/assets resource details
MIME Type
application/json

Table 225. GET /asset_model/assets request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 226. GET /asset_model/assets response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve assets completed successfully.
500 1020 The server encountered an error while trying to
retrieve the assets.

144 QRadar API Reference Guide

 Response Description

List of assets retrieved using the associated asset saved search.

Response Sample
[{"id": 42,
"domain_id": 42,
"interfaces": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String",
"ip_addresses": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"network_id": 42,
"value": "String",
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"type": "String"}]
}],
"properties": [{"id": 42,
"name": "String",
"value": "String",
"last_reported": 42,
"type_id": 42,
"last_reported_by": "String"}]
}]

POST /asset_model/assets/{asset_id}
Update an asset with several pertinent pieces of information.

The asset_id tag is mandatory, and is the unique identifier for an asset. This field
is available through the /asset_model/assets or /asset_model/saved_searches/
{saved_search_id}/results query. To update properties, the property type ID which
is available through the /asset_model/properties query must be provided along
with the new value. See the sample provided demonstrating an example asset
update.
Table 227. POST /asset_model/assets/{asset_id} resource details
MIME Type
text/plain

Table 228. POST /asset_model/assets/{asset_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
asset_id path Required String text/plain Unique identifier of the
asset to update.

Chapter 6. REST API V8.0 References 145

 Table 229. POST /asset_model/assets/{asset_id} request body details
Parameter Data Type MIME Type Description Sample
asset JSON application/json JSON representation of { "properties": [ {
an asset. "type_id": 1001, "value":
"given name value" }, {
"type_id": 1002, "value":
"unified name value" } ]
}

Table 230. POST /asset_model/assets/{asset_id} response codes

HTTP Response
Code Unique Code Description
202 The request to update the asset was successful. The
update will take place when the asset profile
application receives the request.
422 1005 One or more of the requested property updates were
invalid.
500 1020 The server encountered an error registering the
update with the asset profile application.

Response Description

Information about the asset that was updated.

Response Sample
String

GET /asset_model/properties
Get a list of available asset property types that can be used.

Get a list of available asset property types that can be used or applied against the
/asset_model/assets endpoint.
Table 231. GET /asset_model/properties resource details
MIME Type
application/json

Table 232. GET /asset_model/properties request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

146 QRadar API Reference Guide

 Table 232. GET /asset_model/properties request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 233. GET /asset_model/properties response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the list of asset property
types completed successfully.
500 1020 An error occurred while trying to retrieve the list of
asset property types.

Response Description

List of asset properties. Per asset property type: id and name that make up this
asset property type.

Response Sample
[
{
"custom": true,
"data_type": "String",
"display": true,
"id": 42,
"name": "String",
"state": 42
}
]

GET /asset_model/saved_search_groups
Retrieves a list the asset saved search groups.

Retrieves a list the asset saved search groups.

Table 234. GET /asset_model/saved_search_groups resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 147

 Table 235. GET /asset_model/saved_search_groups request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 236. GET /asset_model/saved_search_groups response codes

HTTP Response
Code Unique Code Description
200 The asset saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the
asset saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

148 QRadar API Reference Guide

 Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /asset_model/saved_search_groups/{group_id}
Retrieves an asset saved search group.

Retrieves an asset saved search group.

Table 237. GET /asset_model/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 238. GET /asset_model/saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 149

 Table 239. GET /asset_model/saved_search_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
200 The asset saved search group was retrieved.
404 1002 The asset saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the
asset saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The id of the parent group. ( Default resources can have
localized names )
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group. ( Default groups can have localized
names )
v description - String - The description of the group. ( Default groups can have
localized names )
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

150 QRadar API Reference Guide

POST /asset_model/saved_search_groups/{group_id}
Updates the owner of an asset saved search group.

Updates the owner of an asset saved search group.

Table 240. POST /asset_model/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 241. POST /asset_model/saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 242. POST /asset_model/saved_search_groups/{group_id} request body details

MIME
Parameter Data Type Type Description Sample
group Object application/ Required - Group object { "child_groups": [ 42 ], "child_items": [ "String"
json with the owner set to a ], "description": "String", "id": 42, "level": 42,
valid deployed user. "name": "String", "owner": "String", "parent_id":
42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Table 243. POST /asset_model/saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The asset saved search group has been updated.
404 1002 The asset saved search group does not exist.
409 1004 The provided user does not have the required
capabilities to own the asset saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
asset saved search group.

Chapter 6. REST API V8.0 References 151

 Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /asset_model/saved_search_groups/{group_id}
Deletes an asset saved search group.

Deletes an asset saved search group.

152 QRadar API Reference Guide

 Table 244. DELETE /asset_model/saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 245. DELETE /asset_model/saved_search_groups/{group_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Table 246. DELETE /asset_model/saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
204 The asset saved search group was deleted.
404 1002 The asset saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
asset saved search group.

Response Description

Response Sample

GET /asset_model/saved_searches
Get a list of saved searches that can be used.

Get a list of saved searches that can be used or applied against the
/asset_model/saved_searches/{saved_search_id}/results query.
Table 247. GET /asset_model/saved_searches resource details
MIME Type
application/json

Table 248. GET /asset_model/saved_searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Chapter 6. REST API V8.0 References 153

 Table 248. GET /asset_model/saved_searches request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 249. GET /asset_model/saved_searches response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the list of saved searches
completed successfully.
500 1020 The server encountered an error while trying to
retrieve the list of saved searches.

Response Description

List of saved searches. Per saved search: id, name and list of filters that make up
this saved search

Response Sample
[
{
"columns": [
{
"name": "String",
"type": "String"
}
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}
]

154 QRadar API Reference Guide

GET /asset_model/saved_searches/{saved_search_id}
Retrieves an asset saved search.

Retrieves an asset saved search.

Table 250. GET /asset_model/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 251. GET /asset_model/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 252. GET /asset_model/saved_searches/{saved_search_id} response codes

HTTP Response
Code Unique Code Description
200 The asset saved search was retrieved,
404 1002 The asset saved search does not exist,
500 1020 An error occurred during the attempt to retrieve the
asset saved search,

Response Description

The asset saved search after it is retrieved. An Asset Saved Search object contains
the following fields:
v id - Long - The ID of the asset saved search.
v name - String - The name of the asset saved search.
v owner - String - The owner of the asset saved search.
v isShared - Boolean - True if the asset saved search is shared with other users.
v description - String - The description of the asset saved search.
v filters - List of Strings - The asset saved search filters.
v columns - List of Strings - The asset saved search columns.

Response Sample
{
"columns": [
{
"name": "String",
"type": "String"
}
],

Chapter 6. REST API V8.0 References 155

 "description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String"
}

POST /asset_model/saved_searches/{saved_search_id}
Updates the asset saved search owner only.

Updates the asset saved search owner only.

Table 253. POST /asset_model/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 254. POST /asset_model/saved_searches/{saved_search_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 255. POST /asset_model/saved_searches/{saved_search_id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/ null { "columns": [ { "name":
json "String", "type": "String" }
], "description": "String",
"filters": [ { "operator":
"String", "parameter":
"String", "value": "String"
} ], "id": 42, "is_shared":
true, "name": "String",
"owner": "String" }

Table 256. POST /asset_model/saved_searches/{saved_search_id} response codes

HTTP Response
Code Unique Code Description
200 The asset saved search was updated.

156 QRadar API Reference Guide

 Table 256. POST /asset_model/saved_searches/{saved_search_id} response
codes (continued)
HTTP Response
Code Unique Code Description
403 1009 You do not have the required capabilities to update
the asset saved search.
404 1002 The asset saved search does not exist.
409 1004 The provided user does not have the required
capabilities to own the asset saved search.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
asset saved search.

Response Description

The asset saved search after it is updated. An Asset Saved Search object contains
the following fields:
v id - Long - The ID of the asset saved search.
v name - String - The name of the asset saved search.
v owner - String - The owner of the asset saved search.
v isShared - Boolean - True if the asset saved search is shared with other users.
v description - String - The description of the asset saved search.
v filters - List of Strings - The asset saved search filters.
v columns - List of Strings - The asset saved search columns.

Response Sample
{
"columns": [
{
"name": "String",
"type": "String"
}
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String"
}

DELETE /asset_model/saved_searches/{saved_search_id}
Deletes an asset saved search.

Deletes an asset saved search.

Chapter 6. REST API V8.0 References 157

 Table 257. DELETE /asset_model/saved_searches/{saved_search_id} resource details
MIME Type
text/plain

Table 258. DELETE /asset_model/saved_searches/{saved_search_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
saved_search_id path Required Number text/plain null
(Integer)

Table 259. DELETE /asset_model/saved_searches/{saved_search_id} response codes

HTTP Response
Code Unique Code Description
204 The asset saved searchh was deleted.
403 1009 You do not have the required capabilities to delete
the asset saved search.
404 1002 The asset saved search does not exist.
500 1020 An error occurred during the attempt to delete the
asset saved search.

Response Description

Response Sample

GET /asset_model/saved_searches/{saved_search_id}/results
Retrieves a list of assets based on the results of an asset saved search.
Table 260. GET /asset_model/saved_searches/{saved_search_id}/results resource details
MIME Type
application/json

Table 261. GET /asset_model/saved_searches/{saved_search_id}/results request parameter

details
Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required String text/plain Unique identifier of the
saved search used to
retrieve assets.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements that
are returned in the list to
a specified range. The
list is indexed starting at
zero.

158 QRadar API Reference Guide

Table 261. GET /asset_model/saved_searches/{saved_search_id}/results request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in a
list base on the contents
of various fields.

Table 262. GET /asset_model/saved_searches/{saved_search_id}/results response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve assets completed successfully.
422 1005 The unique identifier of the saved search provided
was invalid.
500 1003 The server encountered an error executing the saved
search.

Response Description

List of assets retrieved using the associated asset saved search.

Response Sample
[
{
"domain_id": 42,
"id": 42,
"interfaces": [
{
"created": 42,
"first_seen_profiler": 42,
"first_seen_scanner": 42,
"id": 42,
"ip_addresses": [
{
"created": 42,
"first_seen_profiler": 42,
"first_seen_scanner": 42,
"id": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"network_id": 42,
"type": "String",
"value": "String"
}
],
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String"

Chapter 6. REST API V8.0 References 159

 }
],
"properties": [
{
"id": 42,
"last_reported": 42,
"last_reported_by": "String",
"name": "String",
"type_id": 42,
"value": "String"
}
]
}
]

Authentication endpoints
Use the references for REST API V8.0 authentication endpoints.

POST /auth/logout
Invoke this method as an authorized user and your session will be invalidated.
Table 263. POST /auth/logout resource details
MIME Type
text/plain

There are no parameters for this endpoint.

Table 264. POST /auth/logout response codes
HTTP Response
Code Unique Code Description
200 The session was invalidated.

Response Description

Returns true. Throws exception upon failure.

Response Sample
true

Configuration endpoints
Use the references for REST API V8.0 configuration endpoints.

GET /config/access/tenant_management/tenants
Retrieve the list of all tenants ordered by tenant ID.

Retrieve the list of all tenants. The list is ordered by tenant ID.
Table 265. GET /config/access/tenant_management/tenants resource details
MIME Type
application/json

160 QRadar API Reference Guide

Table 266. GET /config/access/tenant_management/tenants request parameter details
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 267. GET /config/access/tenant_management/tenants response codes

HTTP Response
Code Unique Code Description
200 The tenant list was successfully retrieved.
500 1020 An error occurred while the tenant list was being
retrieved.

Response Description

a list of all the tenants

Response Sample
[
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}
]

Chapter 6. REST API V8.0 References 161

 POST /config/access/tenant_management/tenants
Create a new tenant.
Table 268. POST /config/access/tenant_management/tenants resource details
MIME Type
application/json

Table 269. POST /config/access/tenant_management/tenants request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 270. POST /config/access/tenant_management/tenants request body details

Parameter Data Type MIME Type Description Sample
tenant Object application/json Required - Tenant - { "deleted": true,
includes name, "description": "String",
event_rate_limit (unit "event_rate_limit": 42,
eps), flow_rate_limit "flow_rate_limit": 42,
(unit fpm) and "name": "String" }
description

Table 271. POST /config/access/tenant_management/tenants response codes

HTTP Response
Code Unique Code Description
201 A new tenant was created successfully and returned
the new tenant object.
409 1004 A tenant with the given name already exists.
422 1005 A request parameter is invalid.
500 1020 Failed to create the tenant.

Response Description

a created tenant object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

162 QRadar API Reference Guide

GET /config/access/tenant_management/tenants/{tenant_id}
Retrieve a tenant by tenant id.
Table 272. GET /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

Table 273. GET /config/access/tenant_management/tenants/{tenant_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
tenant_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 274. GET /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response
Code Unique Code Description
200 The tenant was successfully retrieved.
404 1002 No tenant was found for the provided tenant id.
500 1020 An error occurred while the tenant was being
retrieved.

Response Description
the associated tenants object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

Chapter 6. REST API V8.0 References 163

 POST /config/access/tenant_management/tenants/{tenant_id}
Update a tenant
Table 275. POST /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

Table 276. POST /config/access/tenant_management/tenants/{tenant_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
tenant_id path Required Number text/plain Required - Integer - the
(Integer) tenant id to modify
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 277. POST /config/access/tenant_management/tenants/{tenant_id} request body

details
Parameter Data Type MIME Type Description Sample
tenant Object application/json Required - Tenant - { "deleted": true,
includes name, "description": "String",
event_rate_limit (unit "event_rate_limit": 42,
eps), flow_rate_limit "flow_rate_limit": 42,
(unit fpm) and "name": "String" }
description

Table 278. POST /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response
Code Unique Code Description
200 A tenant profile that was updated successfully and
returned the updated tenant object.
404 1002 The tenant profile does not exist.
409 1004 A tenant with the given name already exists.
422 1005 A request parameter is invalid.
500 1020 Failed to retrieve/update the given tenant profile.

Response Description

The updated tenant object.

164 QRadar API Reference Guide

 Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

DELETE /config/access/tenant_management/tenants/
{tenant_id}
Delete a tenant.

Deletes a tenant by tenant ID.

Table 279. DELETE /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

Table 280. DELETE /config/access/tenant_management/tenants/{tenant_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
tenant_id path Required Number text/plain Required - String - id
(Integer) associated to a tenant

Table 281. DELETE /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response
Code Unique Code Description
200 The tenant was deleted successfully (soft delete).
404 1002 The tenant does not exists.
500 1020 An error occurred while deleting tenant.

Response Description

the deleted tenant object with its parameter deleted set to true

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

GET /config/deployment/hosts
Retrieves a list of all deployed hosts.

Retrieves the list of all deployed hosts.

Chapter 6. REST API V8.0 References 165

 Table 282. GET /config/deployment/hosts resource details
MIME Type
application/json

Table 283. GET /config/deployment/hosts request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 284. GET /config/deployment/hosts response codes

HTTP Response
Code Unique Code Description
200 The host list was successfully retrieved.
500 1001 An error occurred during the attempt to retrieve the
host list.

Response Description
A list of all the hosts. Each Host object has the following fields:
v id - The ID of this managed host.
v hostname - The host name of this managed host.
v private_ip - The private IP of this managed host.
v public_ip - The public IP of this managed host.
v appliance - An object that represents the appliance type ID and description of
this managed host.
v version - The installed version on this managed host.
v status - The status of this managed host.

166 QRadar API Reference Guide

v eps_rate_hardware_limit - The upper limit for eps_allocation based on
hardware constraints for this managed host.
v eps_allocation - The allocated eps rate of this managed host.
v average_eps - The average eps rate of this managed host over the previous
month.
v peak_eps - The peak eps rate that was experienced by this managed host over
the previous month.
v fpm_rate_hardware_limit - The upper limit for fpm_allocation based on
hardware constraints for this managed host
v fpm_allocation - The allocated fpm rate of this managed host.
v average_fpm - The average fpm rate of this managed host over the previous
month.
v peak_fpm - The peak fpm rate that was experienced by this managed host over
the previous month.
v primary_server_id - The ID for the primary server host for this managed host.
v secondary_server_id - If configured, the ID for the secondary server host for
this managed host.
v license_serial_number - The serial number that is associated with this managed
host's license.
v components - A list of components that are associated with this managed host.
v compression_enabled - Whether or not compression is enabled for this
managed host.
v encryption_enabled - Whether or not encryption is enabled for this managed
host.

Response Sample
[
{
"appliance": {
"id": "String",
"type": "String"
},
"average_eps": 42,
"average_fpm": 42,
"components": [
"String <one of: eventcollector,
eventprocessor,
dataNode,
magistrate,
ariel_query_server,
ariel_proxy_server,
vis,
assetprofiler,
qflow,
hostcontext,
tunnel,
setuptunnel,
ecs-ec,
ecs-ep,
resolveragent,
resolver_manager,
offsiteSource,
offsiteTarget,
accumulator,
offline_forwarder,
qvm,
qvmprocessor,
qvmscanner,

Chapter 6. REST API V8.0 References 167

 qvmhostedscanner,
qvmsiteprotector,
arc_builder,
tomcat-rm,
ziptie-server,
qrm,
asset_change_publisher,
forensicsnode,
forensics_realtime,
masterdaemon>"
],
"compression_enabled": true,
"encryption_enabled": true,
"eps_allocation": 42,
"eps_rate_hardware_limit": 42,
"fpm_allocation": 42,
"fpm_rate_hardware_limit": 42,
"hostname": "String",
"id": 42,
"license_serial_number": "String",
"peak_eps": 42,
"peak_fpm": 42,
"primary_server_id": 42,
"private_ip": "String",
"public_ip": "String",
"secondary_server_id": 42,
"status": "String <one of: Active,
ADDING,
Deleted,
Deleting,
ADD_FAILED,
New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS>",
"version": "String"
}
]

GET /config/deployment/hosts/{id}
Retrieves a deployed host by ID.

Retrieves a deployed host by ID.

Table 285. GET /config/deployment/hosts/{id} resource details
MIME Type
application/json

Table 286. GET /config/deployment/hosts/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain Required - The ID of
(Integer) the deployed host to be
retrieved.

168 QRadar API Reference Guide

Table 286. GET /config/deployment/hosts/{id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 287. GET /config/deployment/hosts/{id} response codes

HTTP Response
Code Unique Code Description
200 The host was successfully retrieved.
404 1002 No such host is deployed for the given ID
422 1003 The provided ID was a negative number or zero.
500 1004 An error occurred during the retrieval of the host.

Response Description

The associated deployed host object. The Host object has the following fields:
v id - The ID of this managed host.
v hostname - The host name of this managed host.
v private_ip - The private IP of this managed host.
v public_ip - The public IP of this managed host.
v appliance - An object that represents the appliance type ID and description of
this managed host.
v version - The installed version on this managed host.
v status - The status of this managed host.
v eps_rate_hardware_limit - The upper limit for eps_allocation based on
hardware constraints for this managed host.
v eps_allocation - The allocated eps rate of this managed host.
v average_eps - The average eps rate of this managed host over the previous
month.
v peak_eps - The peak eps rate that was experienced by this managed host over
the previous month.
v fpm_rate_hardware_limit - The upper limit for fpm_allocation based on
hardware constraints for this managed host.
v fpm_allocation - The allocated fpm rate of this managed host.
v average_fpm - The average fpm rate of this managed host over the previous
month.
v peak_fpm - The peak fpm rate that was experienced by this managed host over
the previous month.
v primary_server_id - The ID for the primary server host for this managed host.

Chapter 6. REST API V8.0 References 169

 v secondary_server_id - If configured, the ID for the secondary server host for
this managed host.
v license_serial_number - The serial number that is associated with this managed
host's license.
v components - A list of components that are associated with this managed host.
v compression_enabled - Whether or not compression is enabled for this
managed host.
v encryption_enabled - Whether or not encryption is enabled for this managed
host.

Response Sample
[
{
"appliance": {
"id": "String",
"type": "String"
},
"average_eps": 42,
"average_fpm": 42,
"components": [
"String <one of: eventcollector,
eventprocessor,
dataNode,
magistrate,
ariel_query_server,
ariel_proxy_server,
vis,
assetprofiler,
qflow,
hostcontext,
tunnel,
setuptunnel,
ecs-ec,
ecs-ep,
resolveragent,
resolver_manager,
offsiteSource,
offsiteTarget,
accumulator,
offline_forwarder,
qvm,
qvmprocessor,
qvmscanner,
qvmhostedscanner,
qvmsiteprotector,
arc_builder,
tomcat-rm,
ziptie-server,
qrm,
asset_change_publisher,
forensicsnode,
forensics_realtime,
masterdaemon>"
],
"compression_enabled": true,
"encryption_enabled": true,
"eps_allocation": 42,
"eps_rate_hardware_limit": 42,
"fpm_allocation": 42,
"fpm_rate_hardware_limit": 42,
"hostname": "String",
"id": 42,
"license_serial_number": "String",

170 QRadar API Reference Guide

 "peak_eps": 42,
"peak_fpm": 42,
"primary_server_id": 42,
"private_ip": "String",
"public_ip": "String",
"secondary_server_id": 42,
"status": "String <one of: Active,
ADDING,
Deleted,
Deleting,
ADD_FAILED,
New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS>",
"version": "String"
}
]

POST /config/deployment/hosts/{id}
Updates a host by ID and sends a JMS message to update the pipeline.

Updates a host by the given ID.

Table 288. POST /config/deployment/hosts/{id} resource details
MIME Type
application/json

Table 289. POST /config/deployment/hosts/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain Required - The ID of
(Integer) the staged host to be
updated.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 171

 Table 290. POST /config/deployment/hosts/{id} request body details
Parameter Data Type MIME Type Description Sample
host Object application/json Required - The host values { "appliance": { "id": "String", "type": "String" },
to be updated. At the "average_eps": 42, "average_fpm": 42, "components": [
moment, the only writable "String <one of: eventcollector, eventprocessor,
properties are dataNode, magistrate, ariel_query_server,
eps_allocation and ariel_proxy_server, vis, assetprofiler, qflow, hostcontext,
fpm_allocation. tunnel, setuptunnel, ecs-ec, ecs-ep, resolveragent,
resolver_manager, offsiteSource, offsiteTarget,
accumulator, offline_forwarder, qvm, qvmprocessor,
qvmscanner, qvmhostedscanner, qvmsiteprotector,
arc_builder, tomcat-rm, ziptie-server, qrm,
asset_change_publisher, forensicsnode,
forensics_realtime, masterdaemon>" ],
"compression_enabled": true, "encryption_enabled": true,
"eps_allocation": 42, "eps_rate_hardware_limit": 42,
"fpm_allocation": 42, "fpm_rate_hardware_limit": 42,
"hostname": "String", "id": 42, "license_serial_number":
"String", "peak_eps": 42, "peak_fpm": 42,
"primary_server_id": 42, "private_ip": "String",
"public_ip": "String", "secondary_server_id": 42, "status":
"String <one of: Active, ADDING, Deleted, Deleting,
ADD_FAILED, New, ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA, ADD_FAILED_CHECK_LOGS,
ADD_FAILED_QVMPROCESSOR_ALREADY_EXISTS>",
"version": "String" }

Table 291. POST /config/deployment/hosts/{id} response codes

HTTP Response
Code Unique Code Description
200 The host was successfully updated.
404 1010 Could not find the host to update.
417 1011 EPS values are expected to be a multiple of the set
EPS block. By default the block size is 500.
417 1012 FPM values are expected to be a multiple of the set
FPM block. By default the block size is 10000.
417 1013 The EPS value given does not meet the minimum
required EPS 200.
417 1014 The FPM value given does not meet the minimum
required FPM 200.
417 1016 Can't change EPS/FPM values for a host with a
serialized license.
417 1017 EPS value exceeds hardware limit.
417 1018 FPM value exceeds hardware limit.
417 1019 EPS value is greater than that available in the license
pool.
417 1020 FPM value is greater than that available in the
license pool.
422 1009 null
500 1021 null

Response Description

The updated host object. The host object has the following fields:
v id - The ID of this managed host.
v hostname - The host name of this managed host.
v private_ip - The private IP of this managed host.
v public_ip - The public IP of this managed host.

172 QRadar API Reference Guide

v appliance - An object that represents the appliance type ID and description of
this managed host.
v version - The installed version on this managed host.
v status - The status of this managed host.
v eps_rate_hardware_limit - The upper limit for eps_allocation based on hardware
constraints for this managed host.
v eps_allocation - The allocated eps rate of this managed host.
v average_eps - The average eps rate of this managed host over the previous
month.
v peak_eps - The peak eps rate that was experienced by this managed host over
the previous month.
v fpm_rate_hardware_limit - The upper limit for fpm_allocation based on
hardware constraints for this managed host.
v fpm_allocation - The allocated fpm rate of this managed host.
v average_fpm - The average fpm rate of this managed host over the previous
month.
v peak_fpm - The peak fpm rate that was experienced by this managed host over
the previous month.
v primary_server_id - The ID for the primary server host for this managed host.
v secondary_server_id - If configured, the ID for the secondary server host for this
managed host.
v license_serial_number - The serial number associated with this managed host's
license.
v components - A list of components that are associated with this managed host.
v compression_enabled - Whether or not compression is enabled for this managed
host.
v encryption_enabled - Whether or not encryption is enabled for this managed
host.

* @throws ServerProcessingException An unexpected exception occurred during

the updating of the host.

Response Sample
[
{
"appliance": {
"id": "String",
"type": "String"
},
"average_eps": 42,
"average_fpm": 42,
"components": [
"String <one of: eventcollector,
eventprocessor,
dataNode,
magistrate,
ariel_query_server,
ariel_proxy_server,
vis,
assetprofiler,
qflow,
hostcontext,
tunnel,
setuptunnel,
ecs-ec,

Chapter 6. REST API V8.0 References 173

 ecs-ep,
resolveragent,
resolver_manager,
offsiteSource,
offsiteTarget,
accumulator,
offline_forwarder,
qvm,
qvmprocessor,
qvmscanner,
qvmhostedscanner,
qvmsiteprotector,
arc_builder,
tomcat-rm,
ziptie-server,
qrm,
asset_change_publisher,
forensicsnode,
forensics_realtime,
masterdaemon>"
],
"compression_enabled": true,
"encryption_enabled": true,
"eps_allocation": 42,
"eps_rate_hardware_limit": 42,
"fpm_allocation": 42,
"fpm_rate_hardware_limit": 42,
"hostname": "String",
"id": 42,
"license_serial_number": "String",
"peak_eps": 42,
"peak_fpm": 42,
"primary_server_id": 42,
"private_ip": "String",
"public_ip": "String",
"secondary_server_id": 42,
"status": "String <one of: Active,
ADDING,
Deleted,
Deleting,
ADD_FAILED,
New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS>",
"version": "String"
}
]

GET /config/deployment/license_pool
Retrieves the deployed license pool information.

Retrieves the deployed license pool information.

Table 292. GET /config/deployment/license_pool resource details
MIME Type
application/json

174 QRadar API Reference Guide

 Table 293. GET /config/deployment/license_pool request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 294. GET /config/deployment/license_pool response codes

HTTP Response
Code Unique Code Description
200 The license pool was successfully retrieved.
500 1001 An error occurred during the retrieval of the license
pool.

Response Description

The deployed license pool information.

v eps(allocated) - The amount of EPS rate allocated from the pool.
v eps(overallocated) - Whether EPS is overallocated or not in the pool.
v eps(total) - The total EPS rate available in the pool.
v fpm(allocated) - The amount of FPM rate allocated from the pool.
v fpm(overallocated) - Whether FPM is overallocated or not in the pool.
v fpm(total) - The total FPM rate available in the pool.

Response Sample
{
"eps": {
"allocated": 42,
"overallocated": true,
"total": 42
},
"fpm": {
"allocated": 42,
"overallocated": true,
"total": 42
}
}

GET /config/domain_management/domains
Retrieves the list of all domains, active and deleted (including the default domain).

The list is ordered by domain ID. If domains were never configured, only the
default domain is returned.

Chapter 6. REST API V8.0 References 175

 Table 295. GET /config/domain_management/domains resource details
MIME Type
application/json

Table 296. GET /config/domain_management/domains request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 297. GET /config/domain_management/domains response codes

HTTP Response
Code Unique Code Description
200 The domain list has been successfully retrieved.
500 1020 An error occurred while the domain list was being
retrieved.

Response Description
The list of domain objects.

Response Sample
[
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],

176 QRadar API Reference Guide

 "deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}
]

POST /config/domain_management/domains
Creates a new domain.
Table 298. POST /config/domain_management/domains resource details
MIME Type
application/json

Table 299. POST /config/domain_management/domains request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 177

 Table 300. POST /config/domain_management/domains request body details
Parameter Data Type MIME Type Description Sample
domain Object application/json A domain JSON object { "asset_scanner_ids":
(its id parameter is [42],
ignored). "custom_properties":
[{"capture_result":
"String", "id": 42}],
"deleted": true,
"description": "String",
"event_collector_ids":
[42],
"flow_collector_ids":
[42], "flow_source_ids":
[42],
"log_source_group_ids":
[42], "log_source_ids":
[42], "name": "String",
"qvm_scanner_ids":
[42], "tenant_id": 42 }

Table 301. POST /config/domain_management/domains response codes

HTTP Response
Code Unique Code Description
201 The domain has been successfully created.
409 1004 A domain object parameter already exists.
422 1005 A domain object parameter is invalid.
500 1020 An error occurred while the domain was being
created.

Response Description

A created domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [

178 QRadar API Reference Guide

 42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

GET /config/domain_management/domains/{domain_id}
Retrieves a domain by domain ID.
Table 302. GET /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 303. GET /config/domain_management/domains/{domain_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
domain_id path Required Number text/plain The ID of the domain
(Integer) object to retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 304. GET /config/domain_management/domains/{domain_id} response codes

HTTP Response
Code Unique Code Description
200 The domain has been successfully retrieved.
404 1002 No domain was found for the provided domain id.
500 1020 An error occurred while the domain was being
retrieved.

Response Description
A domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",

Chapter 6. REST API V8.0 References 179

 "id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

POST /config/domain_management/domains/{domain_id}
Updates an existing domain.
Table 305. POST /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 306. POST /config/domain_management/domains/{domain_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
domain_id path Required Number text/plain The ID of the domain
(Integer) object to update.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

180 QRadar API Reference Guide

Table 307. POST /config/domain_management/domains/{domain_id} request body details
Parameter Data Type MIME Type Description Sample
domain Object application/json A domain JSON object. { "asset_scanner_ids":
[42],
"custom_properties":
[{"capture_result":
"String", "id": 42}],
"deleted": true,
"description": "String",
"event_collector_ids":
[42],
"flow_collector_ids":
[42], "flow_source_ids":
[42],
"log_source_group_ids":
[42], "log_source_ids":
[42], "name": "String",
"qvm_scanner_ids":
[42], "tenant_id": 42 }

Table 308. POST /config/domain_management/domains/{domain_id} response codes

HTTP Response
Code Unique Code Description
200 The domain has been successfully updated.
404 1002 No domain was found for the provided domain id.
409 1004 A domain object parameter already exists.
422 1005 A domain object parameter is invalid.
500 1020 An error occurred while the domain was being
updated.

Response Description
The updated domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42

Chapter 6. REST API V8.0 References 181

 ],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

DELETE /config/domain_management/domains/{domain_id}
Deletes a domain by domain ID.

All domain mappings are also deleted

Table 309. DELETE /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 310. DELETE /config/domain_management/domains/{domain_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
domain_id path Required Number text/plain The ID of the domain
(Integer) object to delete.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 311. DELETE /config/domain_management/domains/{domain_id} response codes

HTTP Response
Code Unique Code Description
200 The domain has been successfully deleted.
404 1002 No domain was found for the provided domain id.
422 1005 Default domain cannot be deleted.
500 1020 An error occurred while the domain was being
deleted.

Response Description

The deleted domain object with its parameter deleted set to true.

182 QRadar API Reference Guide

 Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

GET /config/event_retention_buckets
Retrieves a list of event retention buckets.

Retrieves a list of event retention buckets.

Table 312. GET /config/event_retention_buckets resource details
MIME Type
application/json

Table 313. GET /config/event_retention_buckets request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Chapter 6. REST API V8.0 References 183

 Table 313. GET /config/event_retention_buckets request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 314. GET /config/event_retention_buckets response codes

HTTP Response
Code Unique Code Description
200 The event retention buckets were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
event retention buckets.

Response Description

An array of Retention Bucket objects. An Retention Bucket object contains the

following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )
v priority - Integer - The priority of the retention bucket. ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or
ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket
was created.
v modified - Long - The time in milliseconds since epoch since the retention
bucket was last modified.
v saved_search_id - String - The id of the saved search used by the retention
bucket.
v enabled - Boolean - True if the retention bucket is enabled.

184 QRadar API Reference Guide

 Response Sample
[
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}
]

GET /config/event_retention_buckets/{id}
Retrieves an event retention bucket.

Retrieves an event retention bucket.

Table 315. GET /config/event_retention_buckets/{id} resource details
MIME Type
application/json

Table 316. GET /config/event_retention_buckets/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 317. GET /config/event_retention_buckets/{id} response codes

HTTP Response
Code Unique Code Description
200 The event retention bucket was retrieved.
404 1002 The event retention bucket does not exist.
500 1020 An error occurred during the attempt to retrieve the
event retention bucket.

Chapter 6. REST API V8.0 References 185

 Response Description

The retention bucket after it has been retrieved. An Retention Bucket object
contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket (0 - 10).
v priority - Integer - The priority of the retention bucket (0 - 10).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or
ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket
was created.
v modified - Long - The time in milliseconds since epoch since the retention
bucket was last modified.
v saved_search_id - String - The ID of the saved search that is used by the
retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

POST /config/event_retention_buckets/{id}
Updates the event retention bucket owner or enabled/disabled only.

Updates the event retention bucket owner or enabled/disabled only.

Table 318. POST /config/event_retention_buckets/{id} resource details
MIME Type
application/json

Table 319. POST /config/event_retention_buckets/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

186 QRadar API Reference Guide

Table 319. POST /config/event_retention_buckets/{id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 320. POST /config/event_retention_buckets/{id} request body details

Parameter Data Type MIME Type Description Sample
retention_bucket Object application/ null { "id": 1, "name": "String",
json "description": "String", "priority": 1,
"period": 1, "deletion": "String",
"created": 123123, "modified": 123123,
"saved_search_id": "String", "enabled":
true }

Table 321. POST /config/event_retention_buckets/{id} response codes

HTTP Response
Code Unique Code Description
200 The event retention bucket has been updated.
404 1002 The event retention bucket does not exist.
409 1004 The provided user does not have the required
capabilities to own the event retention bucket.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
event retention bucket.

Response Description

The Retention Bucket after it is updated. A Retention Bucket object contains the
following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket (0 - 10).
v priority - Integer - The priority of the retention bucket (0 - 10).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or
ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket
was created.
v modified - Long - The time in milliseconds since epoch since the retention
bucket was last modified.
Chapter 6. REST API V8.0 References 187
 v saved_search_id - String - The ID of the saved search that is used by the
retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

DELETE /config/event_retention_buckets/{id}
Deletes an event retention bucket.

Deletes an event retention bucket.

Table 322. DELETE /config/event_retention_buckets/{id} resource details
MIME Type
text/plain

Table 323. DELETE /config/event_retention_buckets/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

Table 324. DELETE /config/event_retention_buckets/{id} response codes

HTTP Response
Code Unique Code Description
204 The Event Retention Bucket was deleted.
403 1009 You do not have the proper capabilities to delete the
event retention bucket.
404 1002 The Event Retention Bucket does not exist.
500 1020 An error occurred during the attempt to delete the
event retention bucket.

188 QRadar API Reference Guide

 Response Description

Response Sample

GET /config/event_sources/custom_properties/
property_expressions
Retrieves a list of event regex property expressions.

Retrieves a list of event regex property expressions.

Table 325. GET /config/event_sources/custom_properties/property_expressions resource
details
MIME Type
application/json

Table 326. GET /config/event_sources/custom_properties/property_expressions request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 327. GET /config/event_sources/custom_properties/property_expressions response

codes
HTTP Response
Code Unique Code Description
200 The requested list of event regex property
expressions was retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the
list of event regex property expressions.

Chapter 6. REST API V8.0 References 189

 Response Description

A list of event regex property expressions. Each regex property expression contains
the following fields:
v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The identifier of the event regex property
that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the
user can verify their regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this
log source type.
v log_source_id - Integer - The expression is only applied to events for this log
source (more specific than type alone).
v qid - Integer - The expression is only applied to events associated with this QID
record.
v low_level_category_id - Integer - The expression is only applied to events with
this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
[
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}
]

POST /config/event_sources/custom_properties/
property_expressions
Creates a new event regex property expression.

Creates a new event regex property expression.

190 QRadar API Reference Guide

Table 328. POST /config/event_sources/custom_properties/property_expressions resource
details
MIME Type
application/json

Table 329. POST /config/event_sources/custom_properties/property_expressions request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 330. POST /config/event_sources/custom_properties/property_expressions request

body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON representation of the { "capture_group": 42, "creation_date": 42,
json regex property expression object "enabled": true, "id": 42, "identifier":
"String", "log_source_id": 42,
v regex_property_identifier - Required -
"log_source_type_id": 42,
String - The identifier of the event regex
"low_level_category_id": 42,
property that this expression belongs to. "modification_date": 42, "payload":
v enabled - Optional - Boolean - Flag that "String", "qid": 42, "regex": "String",
indicates whether this expression is "regex_property_identifier": "String",
enabled. It defaults to true if not "username": "String" }
provided.
v regex - Required - String - The regex to
extract the property from the payload.
v capture_group - Optional - Integer -
The capture group to capture. It
defaults to 1 if not provided.
v payload - Optional - String - Test
payload. This parameter is only used in
the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Required - Integer
- The expression is only applied to
events for this log source type.
v log_source_id - Optional - Integer - The
expression is only applied to events for
this log source (more specific than type
alone).
v qid - Optional - Integer - The
expression is only applied to events
associated with this QID record.
v low_level_category_id - Optional -
Integer - The expression is only applied
to events with this low level category.

Table 331. POST /config/event_sources/custom_properties/property_expressions response

codes
HTTP Response
Code Unique Code Description
201 A new event regex property expression was created.

Chapter 6. REST API V8.0 References 191

 Table 331. POST /config/event_sources/custom_properties/property_expressions response
codes (continued)
HTTP Response
Code Unique Code Description
422 1005 One or more request parameter are invalid in
request.
500 1020 An error occurred during the attempt to create a
new event regex property expression.

Response Description

The newly created event regex property expression that contains the following
fields:
v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The identifier of the event regex property
that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the
user can verify their regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this
log source type.
v log_source_id - Integer - The expression is only applied to events for this log
source (more specific than type alone).
v qid - Integer - The expression is only applied to events associated with this QID
record.
v low_level_category_id - Integer - The expression is only applied to events with
this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

192 QRadar API Reference Guide

GET /config/event_sources/custom_properties/
property_expressions/{expression_id}
Retrieves an event regex property expression based on the supplied expression ID.

Retrieves an event regex property expression based on the supplied expression ID.
Table 332. GET /config/event_sources/custom_properties/property_expressions/
{expression_id} resource details
MIME Type
application/json

Table 333. GET /config/event_sources/custom_properties/property_expressions/

{expression_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The Guid ID of the
(Integer) event_regex_property_expression.
fields query Optional String text/plain Optional - Use this parameter to specify which
fields you would like to get back in the
response. Fields that are not named are
excluded. Specify subfields in brackets and
multiple fields in the same object are separated
by commas.

Table 334. GET /config/event_sources/custom_properties/property_expressions/

{expression_id} response codes
HTTP Response
Code Unique Code Description
200 The requested event regex property expression was
successfully retrieved.
404 1002 The requested event regex property expression
cannot be found.
500 1020 An error occurred during the attempt to retrieve the
requested event regex property expression.

Response Description

A event regex property expression that contains the following fields:

v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The identifier of the event regex property
that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the
user can verify their regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this
log source type.
v log_source_id - Integer - The expression is only applied to events for this log
source (more specific than type alone).
v qid - Integer - The expression is only applied to events associated with this QID
record.

Chapter 6. REST API V8.0 References 193

 v low_level_category_id - Integer - The expression is only applied to events with
this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

POST /config/event_sources/custom_properties/
property_expressions/{expression_id}
Updates an existing event regex property expression.

Updates an existing event regex property expression.

Table 335. POST /config/event_sources/custom_properties/property_expressions/
{expression_id} resource details
MIME Type
application/json

Table 336. POST /config/event_sources/custom_properties/property_expressions/

{expression_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
expression_id path Required Number text/plain Required - The
(Integer) sequence ID of the
event regex property
expression.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get
back in the response.
Fields that are not
named are excluded.
Specify subfields in
brackets and multiple
fields in the same
object are separated
by commas.

194 QRadar API Reference Guide

Table 337. POST /config/event_sources/custom_properties/property_expressions/
{expression_id} request body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON representation of the { "capture_group": 42, "creation_date": 42,
json event regex property expression object. "enabled": true, "id": 42, "identifier":
"String", "log_source_id": 42,
v regex_property_identifier - Optional -
"log_source_type_id": 42,
String - The identifier of the event regex
"low_level_category_id": 42,
property that this expression belongs to. "modification_date": 42, "payload":
v enabled - Optional - Boolean - Flag that "String", "qid": 42, "regex": "String",
indicates whether this expression is "regex_property_identifier": "String",
enabled. "username": "String" }

v regex - Optional - String - The regex to

extract the property from the payload.
v capture_group - Optional - Integer -
The capture group to capture.
v payload - Optional - String - Test
payload. This parameter is only used in
the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Optional - Integer
- The expression is only applied to
events for this log source type.
v log_source_id - Optional - Integer - The
expression is only applied to events for
this log source (more specific than type
alone).
v qid - Optional - Integer - The
expression is only applied to events
associated with this QID record.
v low_level_category_id - Optional -
Integer - The expression is only applied
to events with this low level category.
v username - Optional - String - The
owner of the event regex property
expression. If the input username is
authorized service, the prefix
"API_token: " is required.

Table 338. POST /config/event_sources/custom_properties/property_expressions/

{expression_id} response codes
HTTP Response
Code Unique Code Description
200 The event regex property expression was updated.
403 1009 The user cannot update the resource because it only
can be updated by the owner or admin user.
404 1002 The requested event regex property expression
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred during the attempt to update an
event regex property expression.

Response Description

The updated event regex property expression object contains the following fields:
v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The ID of the event regex property that this
expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.

Chapter 6. REST API V8.0 References 195

 v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the
user can verify their regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this
log source type.
v log_source_id - Integer - The expression is only applied to events for this log
source (more specific than type alone).
v qid - Integer - The expression is only applied to events associated with this QID
record.
v low_level_category_id - Integer - The expression is only applied to events with
this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

DELETE /config/event_sources/custom_properties/
property_expressions/{expression_id}
Deletes an event regex property expression based on the supplied expression ID.

Deletes an event regex property expression based on the supplied expression ID.
Table 339. DELETE /config/event_sources/custom_properties/property_expressions/
{expression_id} resource details
MIME Type
text/plain

Table 340. DELETE /config/event_sources/custom_properties/property_expressions/

{expression_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID of the
(Integer) event_regex_property_expression.

Table 341. DELETE /config/event_sources/custom_properties/property_expressions/

{expression_id} response codes
HTTP Response
Code Unique Code Description
204 The requested event regex property expression was
successfully deleted.

196 QRadar API Reference Guide

 Table 341. DELETE /config/event_sources/custom_properties/property_expressions/
{expression_id} response codes (continued)
HTTP Response
Code Unique Code Description
403 1009 The user cannot delete the resource because it only
can be deleted by the owner or admin user.
404 1002 The requested event regex property expression
cannot be found.
500 1020 An error occurred during the attempt to delete the
requested event regex property expression.

Response Description

Response Sample

GET /config/event_sources/custom_properties/
regex_properties
Retrieves a list of event regex properties.

Retrieves a list of event regex properties.

Table 342. GET /config/event_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Table 343. GET /config/event_sources/custom_properties/regex_properties request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 6. REST API V8.0 References 197

 Table 344. GET /config/event_sources/custom_properties/regex_properties response codes
HTTP Response
Code Unique Code Description
200 The requested list of event regex properties was
retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the
list of event regex properties.

Response Description
A list of event regex properties. Each regex property contains the following fields:
v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (STRING, NUMERIC, IP, PORT,
TIME) of event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property
is parsed when the event is received.
v datetime_format - String - The date/time pattern that the event regex property
matches.
v locale - String - The Language tag of what locale the Property matches.

Response Sample
[
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}
]

POST /config/event_sources/custom_properties/
regex_properties
Creates a new event regex property.

Creates a new event regex property.

198 QRadar API Reference Guide

Table 345. POST /config/event_sources/custom_properties/regex_properties resource
details
MIME Type
application/json

Table 346. POST /config/event_sources/custom_properties/regex_properties request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 347. POST /config/event_sources/custom_properties/regex_properties request body

details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON representation of the { "creation_date": 42, "datetime_format":
json event regex property object. "String", "description": "String", "id": 42,
"identifier": "String", "locale": "String",
v name - Required - String - The name of
"modification_date": 42, "name": "String",
the event regex property.
"property_type": "String <one of: string,
v description - Optional - String - The numeric, ip, port, time>",
description of the event regex property. "use_for_rule_engine": true, "username":
"String" }
v property_type - Required - String - The
property type (string, numeric, ip, port,
time) of event regex property.
v use_for_rule_engine - Optional -
Boolean - The flag to indicate if the
event regex property is parsed when the
event is received. It is false if no value
supplied.
v datetime_format - Optional - String -
The date/time pattern that the event
regex property matches.. It is required
when property type is TIME.
v locale - Optional - String - The
language tag of the locale that the
property matches. The locale is required
when the property type is TIME.

Table 348. POST /config/event_sources/custom_properties/regex_properties response

codes
HTTP Response
Code Unique Code Description
201 A new event regex property was created.
422 1005 One or more request parameter are invalid in the
request.
500 1020 An error occurred during the attempt to create a
new event regex property.

Chapter 6. REST API V8.0 References 199

 Response Description

The newly created event regex property that contains the following fields:
v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of
event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property
is parsed when the event is received.
v datetime_format - String - The date/time pattern that the event regex property
matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

GET /config/event_sources/custom_properties/
regex_properties/{regex_property_id}
Retrieves a event regex property based on the supplied regex property ID.

Retrieves a event regex property based on the supplied regex property ID.
Table 349. GET /config/event_sources/custom_properties/regex_properties/
{regex_property_id} resource details
MIME Type
application/json

Table 350. GET /config/event_sources/custom_properties/regex_properties/

{regex_property_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain Required - The sequence ID
(Integer) of the
event_regex_property.

200 QRadar API Reference Guide

Table 350. GET /config/event_sources/custom_properties/regex_properties/
{regex_property_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object
are separated by commas.

Table 351. GET /config/event_sources/custom_properties/regex_properties/

{regex_property_id} response codes
HTTP Response
Code Unique Code Description
200 The requested event regex property was successfully
retrieved.
404 1002 The requested event regex property cannot be found.
500 1020 An error occurred during the attempt to retrieve the
requested event regex property.

Response Description

A event regex property that contains the following fields:

v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of the
event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property
is parsed when the event is received.
v datetime_format - String - The date/time pattern that the event regex property
matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

Chapter 6. REST API V8.0 References 201

 POST /config/event_sources/custom_properties/
regex_properties/{regex_property_id}
Updates an existing event regex property.

Updates an existing event regex property.

Table 352. POST /config/event_sources/custom_properties/regex_properties/
{regex_property_id} resource details
MIME Type
application/json

Table 353. POST /config/event_sources/custom_properties/regex_properties/

{regex_property_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain Required - The sequence ID
(Integer) of the event regex property.
fields header Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

202 QRadar API Reference Guide

Table 354. POST /config/event_sources/custom_properties/regex_properties/
{regex_property_id} request body details
MIME
Parameter Data Type Type Description Sample
data Object application/ Required - A JSON { "creation_date": 42,
json representation of the "datetime_format":
event regex property "String", "description":
object. "String", "id": 42,
v description - "identifier": "String",
Optional - String - "locale": "String",
The description of the "modification_date": 42,
event regex property. "name": "String",
"property_type": "String
v property_type -
<one of: string,
Optional - String -
numeric, ip, port,
The property type
time>",
(string, numeric, ip,
"use_for_rule_engine":
port, time) of event
true, "username":
regex property.
"String" }
v use_for_rule_engine -
Optional - Boolean -
The flag to indicate if
the event regex
property is parsed
when the event is
received.
v datetime_format -
Optional - String -
The date/time
pattern that the event
regex property
matches. It is
required when
property type is
TIME.
v locale - Optional -
String - The language
tag of the locale that
the property matches.
The locale is required
when the property
type is TIME.
v username - Optional
- String - The owner
of the event regex
property. If the input
username is
authorized service,
the prefix "API_token:
" is required.

Table 355. POST /config/event_sources/custom_properties/regex_properties/

{regex_property_id} response codes
HTTP Response
Code Unique Code Description
200 The event regex property was updated.

Chapter 6. REST API V8.0 References 203

 Table 355. POST /config/event_sources/custom_properties/regex_properties/
{regex_property_id} response codes (continued)
HTTP Response
Code Unique Code Description
403 1009 The user cannot update the resource because it only
can be updated by the owner or admin user.
404 1002 The requested event regex property cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred during the attempt to update an
event regex property.

Response Description

The updated event regex property object contains the following fields:
v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of
event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property
is parsed when the event is received.
v datetime_format - String - The date/time pattern that the event regex property
matches.
v locale - String - The language tag of the locale the the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

DELETE /config/event_sources/custom_properties/
regex_properties/{regex_property_id}
Deletes an event regex property. To ensure safe deletion, a dependency check is
carried out. This check might take some time. An asynchronous task is started to
do this check.

Deletes an event regex property. To ensure safe deletion, a dependency check is

carried out. This check might take some time. An asynchronous task is started to
do this check.

204 QRadar API Reference Guide

Table 356. DELETE /config/event_sources/custom_properties/regex_properties/
{regex_property_id} resource details
MIME Type
application/json

Table 357. DELETE /config/event_sources/custom_properties/regex_properties/

{regex_property_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 358. DELETE /config/event_sources/custom_properties/regex_properties/

{regex_property_id} response codes
HTTP Response
Code Unique Code Description
202 The event regex property delete request was
accepted and is in progress.
403 1009 The user cannot delete the regex_property because it
only can be deleted by the owner or admin user.
404 1002 The requested event regex property cannot be found.
500 1020 An error occurred while attempting to delete the
event regex property.

Response Description

A Delete Task Status object and the location header set to the task status URL
"/api/config/event_sources/custom_properties/regex_property_delete_tasks/
{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,

Chapter 6. REST API V8.0 References 205

 "created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /config/event_sources/custom_properties/
regex_properties/{regex_property_id}/dependents
Retrieves the objects that depend on the event regex property.

Retrieves the objects that depend on the event regex property.

Table 359. GET /config/event_sources/custom_properties/regex_properties/
{regex_property_id}/dependents resource details
MIME Type
application/json

Table 360. GET /config/event_sources/custom_properties/regex_properties/

{regex_property_id}/dependents request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 361. GET /config/event_sources/custom_properties/regex_properties/

{regex_property_id}/dependents response codes
HTTP Response
Code Unique Code Description
202 The event regex property dependents retrieval was
accepted and is in progress.
404 1002 The event regex property does not exist.
500 1020 An error occurred while attempting to initiate the
event regex property dependents retrieval task.

206 QRadar API Reference Guide

Response Description

A Dependents Task Status object and the location header set to the task status URL
"/api/config/event_sources/custom_properties/
regex_property_dependents_tasks/{task_id}". A Dependent Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,

Chapter 6. REST API V8.0 References 207

 "status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/event_sources/custom_properties/
regex_property_delete_tasks/{task_id}
Retrieves the event regex property delete task status.

Retrieves the event regex property delete task status.

208 QRadar API Reference Guide

Table 362. GET /config/event_sources/custom_properties/regex_property_delete_tasks/
{task_id} resource details
MIME Type
application/json

Table 363. GET /config/event_sources/custom_properties/regex_property_delete_tasks/

{task_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 364. GET /config/event_sources/custom_properties/regex_property_delete_tasks/

{task_id} response codes
HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The requested delete task status cannot be found.
422 1005 The task ID is invalid in the request.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Response Description

A Delete Task Status object and the location header set to the task status URL
"/api/config/event_sources/custom_properties/regex_property_delete_tasks/
{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Chapter 6. REST API V8.0 References 209

 Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id}
Retrieves the event regex property dependent task status.

Retrieves the event regex property dependent task status.

Table 365. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/
{task_id} resource details
MIME Type
application/json

Table 366. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/

{task_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

210 QRadar API Reference Guide

Table 367. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/
{task_id} response codes
HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The requested dependent task status cannot be
found.
422 1005 The task ID is invalid in the request.
500 1020 An error occurred during the attempt to retrieve the
task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL
"/api/config/event_sources/custom_properties/regex_property_dependent_tasks/
{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Chapter 6. REST API V8.0 References 211

 Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,

212 QRadar API Reference Guide

 FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id}
Cancels the regex property dependent task.

Cancels the regex property dependent task.

Table 368. POST /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 369. POST /config/event_sources/custom_properties/

regex_property_dependent_tasks/{task_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 370. POST /config/event_sources/custom_properties/

regex_property_dependent_tasks/{task_id} request body details
MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Chapter 6. REST API V8.0 References 213

 Table 371. POST /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id} response codes
HTTP Response
Code Unique Code Description
200 The dependent task was cancelled.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL
"/api/config/event_sources/custom_properties/regex_property_dependent_tasks/
{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

214 QRadar API Reference Guide

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,

Chapter 6. REST API V8.0 References 215

 FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id}/results
Retrieves the regex property dependent task results.

Retrieves the regex property dependent task results.

Table 372. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/
{task_id}/results resource details
MIME Type
application/json

Table 373. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/

{task_id}/results request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 374. GET /config/event_sources/custom_properties/regex_property_dependent_tasks/

{task_id}/results response codes
HTTP Response
Code Unique Code Description
200 The regex property dependents were retrieved.
404 1002 The requested task status cannot be found.
500 1020 An error occurred during the attempt to retrieve the
task results.

Response Description

A list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource )default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource

216 QRadar API Reference Guide

v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has
permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

Chapter 6. REST API V8.0 References 217

 GET /config/extension_management/extensions
Retrieve a list of extensions.
Table 375. GET /config/extension_management/extensions resource details
MIME Type
application/json

Table 376. GET /config/extension_management/extensions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
sort query Optional String text/plain Optional - This
parameter is used to
sort the elements in a
list.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 377. GET /config/extension_management/extensions response codes

HTTP Response
Code Unique Code Description
200 The requested list of extensions has been retrieved.
422 22608 The supplied filter is invalid.
422 22615 Unknown status used in filter.
422 22610 The selected field cannot be utilized for sorting.
422 22609 Only top-level-elements of the root entity can be
sorted on.
500 22602 An error has occurred while trying to retrieve the
list of extensions.

218 QRadar API Reference Guide

Response Description

A list of extensions. Each extension contains the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this
extension.
v exported_qradar_version - String - The version of the QRadar deployment this
extension was exported from.
v min_qradar_version - String - The minimum QRadar version required for the
extension to function properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to
QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to
QRadar, represented as number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed,
represented as number of milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be
fully uninstalled.
v status - String - The tag corresponding to the current status of the extension.
Possible values are UPLOADED, UPLOADING, INSTALLED, INSTALLING,
INSTALL_FAILED, UNINSTALLED, UNINSTALLING, UNINSTALL_FAILED,
NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension.
Each object has the following fields:
content_type_id - Number - The ID of the content type.
content_type_name - String - The name of the content type.
identifier - String - The descriptive name/identifier of the item.

Response Sample
[
{
"file_location": "/store/cmt/exports/custom_rule.zip",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 3,
"identifier": "No Description Supplied",
"content_type_name": "custom_rule"
},
{
"content_type_id": 28,
"identifier": "Asset Reconciliation IPv4 Blacklist",

Chapter 6. REST API V8.0 References 219

 "content_type_name": "reference_data"
},
{
"content_type_id": 28,
"identifier": "Asset Reconciliation IPv4 Whitelist",
"content_type_name": "reference_data"
},
{
"content_type_id": 32,
"identifier": "No Description Supplied",
"content_type_name": "reference_data_rules"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150825133843",
"size": 8575,
"id": 59,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "custom_rule.xml",
"install_time": 1440788704856,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440693660702
},
{
"file_location": "/store/cmt/exports/qidmap.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmap.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}
]

220 QRadar API Reference Guide

POST /config/extension_management/extensions
Uploads the supplied extension file to the IBM Security QRadarsystem.
Table 378. POST /config/extension_management/extensions resource details
MIME Type
application/json

Table 379. POST /config/extension_management/extensions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 380. POST /config/extension_management/extensions request body details

Parameter Data Type MIME Type Description Sample
file File application/x-gzip Required - The File
Extension file. Must be
a properly-formed
QRadar
extension/content
export, either an XML
file or an XML within a
ZIP or TAR.GZ archive.
Must be provided with
MIME type
application/xml,
application/zip,
application/x-gzip or
multipart/form-data

Table 381. POST /config/extension_management/extensions response codes

HTTP Response
Code Unique Code Description
201 The supplied extension file has been uploaded.
409 22613 The supplied extension file can not be uploaded
because it shares the same hub_id and version as
one of the extensions in the system.
422 22607 The supplied extension could not be validated
successfully
422 22616 The supplied manifest for the extension is invalid.
500 22602 An error has occurred while trying to upload the
extension file.

Chapter 6. REST API V8.0 References 221

 Response Description

An extension containing the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this
extension.
v exported_qradar_version - String - The version of the QRadar deployment this
extension was exported from.
v min_qradar_version - String - The minimum QRadar version required for the
extension to function properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to
QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to
QRadar, represented as number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed,
represented as number of milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be
fully uninstalled.
v status - String - The tag corresponding to the current status of the extension.
Possible values are UPLOADED, UPLOADING, INSTALLED, INSTALLING,
INSTALL_FAILED, UNINSTALLED, UNINSTALLING, UNINSTALL_FAILED,
NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension.
Each object has the following fields:
content_type_id - Number - The ID of the content type.
content_type_name - String - The name of the content type.
identifier - String - The descriptive name/identifier of the item.

Response Sample
{
"file_location": "/store/cmt/exports/qidmaps.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,

222 QRadar API Reference Guide

 "min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmaps.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}

GET /config/extension_management/extensions/{extension_id}
Retrieves an extension based on the supplied extension ID.
Table 382. GET /config/extension_management/extensions/{extension_id} resource details
MIME Type
application/json

Table 383. GET /config/extension_management/extensions/{extension_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 384. GET /config/extension_management/extensions/{extension_id} response codes

HTTP Response
Code Unique Code Description
200 The requested extension has been retrieved.
404 22603 The requested extension cannot be found.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the
requested extension.

Response Description

An extension containing the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.

Chapter 6. REST API V8.0 References 223

 v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this
extension.
v exported_qradar_version - String - The version of the QRadar deployment this
extension was exported from.
v min_qradar_version - String - The minimum QRadar version required for the
extension to function properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to
QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to
QRadar, represented as number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed,
represented as number of milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be
fully uninstalled.
v status - String - The tag corresponding to the current status of the extension.
Possible values are UPLOADED, UPLOADING, INSTALLED, INSTALLING,
INSTALL_FAILED, UNINSTALLED, UNINSTALLING, UNINSTALL_FAILED,
NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension.
Each object has the following fields:
content_type_id - Number - The ID of the content type.
content_type_name - String - The name of the content type.
identifier - String - The descriptive name/identifier of the item.

Response Sample
{
"file_location": "/store/cmt/exports/qidmaps.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmaps.xml",
"install_time": 1440612194941,

224 QRadar API Reference Guide

 "installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}

POST /config/extension_management/extensions/
{extension_id}
Install an extension based on the supplied extension ID. This is an asynchronous
action.

Installs the Extension corresponding to the supplied extension ID Alternatively can

be used to preview an extension, showing what values are applied if the extension
is installed.
Table 385. POST /config/extension_management/extensions/{extension_id} resource details
MIME Type
application/json

Table 386. POST /config/extension_management/extensions/{extension_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension.
action_type query Required String text/plain Required - The desired
action to take on the
Extension (INSTALL or
PREVIEW)
overwrite query Optional Boolean text/plain Optional - If true, any
existing items on the
importing system will be
overwritten if the
extension contains the
same items. If false,
existing items will be
preserved, and the
corresponding items in
the extension will be
skipped.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 387. POST /config/extension_management/extensions/{extension_id} response codes

HTTP Response
Code Unique Code Description
202 The requested install or preview task has been
started.
404 22603 The requested extension cannot be found.
404 22604 The task status for status_id cannot be found.

Chapter 6. REST API V8.0 References 225

 Table 387. POST /config/extension_management/extensions/{extension_id} response
codes (continued)
HTTP Response
Code Unique Code Description
409 22612 The supplied extension cannot be
installed/previewed because it is already installed
409 22611 The supplied extension cannot be
installed/previewed because it is already in the
process of being installed/previewed.
409 22618 The requested task can not be initiated because
another preview/install task is already in progress.
422 22605 The supplied action type is invalid
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to install or
preview the requested extension.

Response Description

A JSON string depicting the accepted task for previewing/installing an extension:

v message - String - description of the accepted task.
v status_location - String - the url of the task status.
v current_status - String - a JSON object depicting the current status of the task.

Response Sample
{
"message": "Uninstalling an extension",
"status_location":
"https://1.1.1.1/console/restapi/api/config/extension_management/
extensions_task_status/101",
"current_status": {
"progress": 0,
"result_url": null,
"cancelled_by": null,
"status": "QUEUED",
"task_components": null,
"modified": 1440891410849,
"id": 101,
"message": "Queued Extension uninstallation task for extension id 2",
"created_by": "admin",
"created": 1440891410629,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891410847,
"completed": null
}
}

DELETE /config/extension_management/extensions/
{extension_id}
Uninstall an extension based on the supplied extension ID. This is an
asynchronous action.

226 QRadar API Reference Guide

Table 388. DELETE /config/extension_management/extensions/{extension_id} resource
details
MIME Type
application/json

Table 389. DELETE /config/extension_management/extensions/{extension_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension to be
uninstalled.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 390. DELETE /config/extension_management/extensions/{extension_id} response

codes
HTTP Response
Code Unique Code Description
202 The requested uninstall task has been started.
404 22603 The requested extension cannot be found.
404 22604 The task status for status_id cannot be found.
409 22611 The supplied extension cannot be uninstalled
because it is already in the process of being
uninstalled.
409 22617 The extension can not be uninstalled because it is
already in the process of being previewed/installed.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to uninstall an
extension.

Response Description

A JSON string depicting the accepted task for uninstalling an extension:

v message - String - description of the accepted task.
v status_location - String - the url of the task status.
v current_status - String - a JSON object depicting the current status of the task.

Response Sample
{
"message": "Uninstalling an extension",
"status_location":
"https://1.1.1.1/console/restapi/api/config/extension_management/
extensions_task_status/101",
"current_status": {

Chapter 6. REST API V8.0 References 227

 "progress": 0,
"result_url": null,
"cancelled_by": null,
"status": "QUEUED",
"task_components": null,
"modified": 1440891410849,
"id": 101,
"message": "Queued Extension uninstallation task for extension id 2",
"created_by": "admin",
"created": 1440891410629,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891410847,
"completed": null
}
}

GET /config/extension_management/extensions_task_status/
{status_id}
Retrieves the tasks status based on the status ID.
Table 391. GET /config/extension_management/extensions_task_status/{status_id} resource
details
MIME Type
application/json

Table 392. GET /config/extension_management/extensions_task_status/{status_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
status_id path Required Number text/plain Required - the id of the
(Integer) task status.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 393. GET /config/extension_management/extensions_task_status/{status_id} response

codes
HTTP Response
Code Unique Code Description
200 The requested task status has been retrieved.
404 22604 The task status for status_id cannot be found.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the
task status.

228 QRadar API Reference Guide

Response Description

A task status containing the following fields:

v id - Number - The ID of the task status.
v name - String - The name of the task status.
v status - String - A string that represents the current state of the task status.
v message - String - A message regarding the current state of the task.
v progress - Number - The current progress of the task
v minimum - Number - The minimum progress of the task.
v maximum - Number - The maximum progress of the task.
v created_by - String - The username of the user who created the task.
v cancelled_by - String - The username of the user who cancelled the task.
v created - Number - The date/time at which this task was created, represented as
number of milliseconds since Unix epoch.
v started - Number - The date/time at which this task was started, represented as
number of milliseconds since Unix epoch.
v modified - Number - The date/time at which this task was last modified,
represented as number of milliseconds since Unix epoch.
v completed - Number - The date/time at which this task was completed,
represented as number of milliseconds since Unix epoch.
v result_url - String - The url where the result can be viewed.
v cancel_requested - Boolean - True if cancel has been requested.
v child_tasks - Array - Array of child task id's that are executed asynchronously
from this task.
v task_components - Array - Array of task components that are executed
sequentially.

Response Sample
{
"progress": 0,
"result_url": "",
"cancelled_by": "",
"status": "COMPLETED",
"task_components": null,
"modified": 1440891517961,
"id": 102,
"message": "Completed Extension uninstallation task for extension id 56",
"created_by": "admin",
"created": 1440891514006,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891514041,
"completed": 1440891515224
}

Chapter 6. REST API V8.0 References 229

 GET /config/extension_management/extensions_task_status/
{status_id}/results
Retrieves the tasks status results based on the status ID.
Table 394. GET /config/extension_management/extensions_task_status/{status_id}/results
resource details
MIME Type
application/json

Table 395. GET /config/extension_management/extensions_task_status/{status_id}/results

request parameter details
MIME
Parameter Type Optionality Data Type Type Description
status_id path Required Number text/plain Required - The id of
(Integer) the task status.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 396. GET /config/extension_management/extensions_task_status/{status_id}/results

response codes
HTTP Response
Code Unique Code Description
200 The requested results of the task status have been
retrieved.
404 22604 The task status for status_id cannot be found.
404 22614 The task results are not available.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the
results of a task status.

Response Description
A JSON object representing the result of an Extension preview, install or uninstall
task. It contains the following fields:
v id - Number - The ID of the extension.
v task_type - String - The type of task that was issued against the Extension.
v content - Array - An array of JSON objects representing the contents of the
extension and what action is associated with each content item for the task that
was executed. Each content item contains the following fields:
name - String - The name of the content item.
content_type_id - Number - The ID of the type of the content item.

230 QRadar API Reference Guide

 content_type_name - String - The name of the type of the content item.
action - String - The action taken for the content item.

Response Sample
{
"id": 56,
"task_type": "UNINSTALL",
"content": [
{
"content_type_id": 3,
"name": "SYSTEM-1607",
"action": "SKIP",
"content_type_name": "custom_rule"
},
{
"content_type_id": 28,
"name": "Asset Reconciliation IPv4 Whitelist",
"action": "SKIP",
"content_type_name": "reference_data"
}
]
}

GET /config/flow_retention_buckets
Retrieves a list of flow retention buckets.

Retrieves a list of flow retention buckets.

Table 397. GET /config/flow_retention_buckets resource details
MIME Type
application/json

Table 398. GET /config/flow_retention_buckets request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 6. REST API V8.0 References 231

 Table 398. GET /config/flow_retention_buckets request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 399. GET /config/flow_retention_buckets response codes

HTTP Response
Code Unique Code Description
200 The flow retention buckets were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
flow retention buckets.

Response Description

An array of Retention Bucket objects. An Retention Bucket object contains the

following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )
v priority - Integer - The priority of the retention bucket. ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or
ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket
was created.
v modified - Long - The time in milliseconds since epoch since the retention
bucket was last modified.
v saved_search_id - String - The ID of the saved search used by the retention
bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
[
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",

232 QRadar API Reference Guide

 "description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}
]

GET /config/flow_retention_buckets/{id}
Retrieves a flow retention bucket.

Retrieves a flow retention bucket.

Table 400. GET /config/flow_retention_buckets/{id} resource details
MIME Type
application/json

Table 401. GET /config/flow_retention_buckets/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 402. GET /config/flow_retention_buckets/{id} response codes

HTTP Response
Code Unique Code Description
200 The flow retention bucket was retrieved.
404 1002 The flow retention bucket does not exist.
500 1020 An error occurred during the attempt to retrieve the
flow retention bucket.

Response Description

The retention bucket after it is retrieved. An Retention Bucket object contains the
following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )
v priority - Integer - The priority of the retention bucket. ( 0 - 10 ).
v name - String - The name of the retention bucket.

Chapter 6. REST API V8.0 References 233

 v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or
ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket
was created.
v modified - Long - The time in milliseconds since epoch since the retention
bucket was last modified.
v saved_search_id - String - The ID of the saved search that is used by the
retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

POST /config/flow_retention_buckets/{id}
Updates the flow retention bucket owner, or enabled/disabled only.

Updates the flow retention bucket owner, or enabled/disabled only.

Table 403. POST /config/flow_retention_buckets/{id} resource details
MIME Type
application/json

Table 404. POST /config/flow_retention_buckets/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

234 QRadar API Reference Guide

Table 405. POST /config/flow_retention_buckets/{id} request body details
MIME
Parameter Data Type Type Description Sample
retention_bucket Object application/ null { "bucket_id": 42,
json "database": "String",
"description": "String",
"enabled": true, "id":
42, "name": "String",
"period": 42, "priority":
42, "saved_search_id":
"String" }

Table 406. POST /config/flow_retention_buckets/{id} response codes

HTTP Response
Code Unique Code Description
200 The flow retention bucket was updated.
404 1002 The Flow Retention Bucket does not exist.
409 1004 The provided user does not have the required
capabilities to own the flow retention bucket.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
flow retention bucket.

Response Description

The Retention Bucket after it is updated. A Retention Bucket object contains the
following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 ).
v priority - Integer - The priority of the retention bucket ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or
ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket
was created.
v modified - Long - The time in milliseconds since epoch since the retention
bucket was last modified.
v saved_search_id - String - The ID of the saved search used by the retention
bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",

Chapter 6. REST API V8.0 References 235

 "description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

DELETE /config/flow_retention_buckets/{id}
Deletes a flow retention bucket.

Deletes a flow retention bucket.

Table 407. DELETE /config/flow_retention_buckets/{id} resource details
MIME Type
text/plain

Table 408. DELETE /config/flow_retention_buckets/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

Table 409. DELETE /config/flow_retention_buckets/{id} response codes

HTTP Response
Code Unique Code Description
204 The flow retention bucket was deleted.
403 1009 You do not have the proper capabilities to delete the
flow retention bucket.
404 1002 The flow retention bucket does not exist.
500 1020 An error occurred during the attempt to delete the
flow retention bucket.

Response Description

Response Sample

GET /config/flow_sources/custom_properties/
property_expressions
Retrieve a list of flow regex property expressions.

Retrieves a list of flow regex property expressions.

Table 410. GET /config/flow_sources/custom_properties/property_expressions resource
details
MIME Type
application/json

236 QRadar API Reference Guide

Table 411. GET /config/flow_sources/custom_properties/property_expressions request
parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 412. GET /config/flow_sources/custom_properties/property_expressions response

codes
HTTP Response
Code Unique Code Description
200 The requested list of flow regex property expressions
was retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the
list of flow regex property expressions.

Response Description

A list of flow regex property expressions. Each regex property expression contains
the following fields:
v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property
that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can
verify their regex matches the expected payload.

Chapter 6. REST API V8.0 References 237

 v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this
low level category.
v payload_origin - BaseProperty - The payload type (source_payload,
destination_payload) to apply the expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
[
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}
]

POST /config/flow_sources/custom_properties/
property_expressions
Creates a new flow regex property expression.

Creates a new flow regex property expression.

Table 413. POST /config/flow_sources/custom_properties/property_expressions resource
details
MIME Type
application/json

Table 414. POST /config/flow_sources/custom_properties/property_expressions request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

238 QRadar API Reference Guide

Table 415. POST /config/flow_sources/custom_properties/property_expressions request
body details
MIME
Parameter Data Type Type Description Sample
data Object application/ Required - A JSON representation of { "capture_group": 42,
json the regex property expression object. "creation_date": 42, "enabled": true,
v regex_property_identifier - "id": 42, "identifier": "String",
Required - String - The identifier "low_level_category_id": 42,
"modification_date": 42, "payload":
of the flow regex property that
"String", "payload_origin": "String
this expression belongs to.
<one of: event_payload,
v enabled - Optional - Boolean - source_payload,
Flag that indicates whether this destination_payload>", "qid": 42,
expression is enabled. It defaults "regex": "String",
to true if not provided. "regex_property_identifier": "String",
"username": "String" }
v regex - Required - String - The
regex to extract the property from
the payload.
v capture_group - Optional -
Integer - The capture group to
capture. It defaults to 1 if not
provided.
v payload - Optional - String - Test
payload. This is only used in the
UI so that the user can verify
their regex matches the expected
payload.
v qid - Optional - Integer - The QID
of the flow to apply this
expression to.
v low_level_category_id - Optional
- Integer - The expression is
applied to all flows with this low
level category.
v payload_origin - Required -
String - The payload type
(source_payload,
destination_payload) to apply the
expression to.

Table 416. POST /config/flow_sources/custom_properties/property_expressions response

codes
HTTP Response
Code Unique Code Description
201 A new flow regex property expression was created.
422 1005 One or more request parameter are invalid in the
request.
500 1020 An error occurred during the attempt to create a
new flow regex property expression.

Response Description

The newly created flow regex property expression containing the following fields:
v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property
that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.

Chapter 6. REST API V8.0 References 239

 v payload - String - Test payload. This is only used in the UI so that the user can
verify their regex matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this
low level category.
v payload_origin - BaseProperty - The payload type (source_payload,
destination_payload) to apply the expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

GET /config/flow_sources/custom_properties/
property_expressions/{expression_id}
Retrieves a flow regex property expression based on the supplied expression ID.

Retrieves a flow regex property expression based on the supplied expression ID.
Table 417. GET /config/flow_sources/custom_properties/property_expressions/
{expression_id} resource details
MIME Type
application/json

Table 418. GET /config/flow_sources/custom_properties/property_expressions/

{expression_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID of the
(Integer) flow_regex_property_expression.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object are
separated by commas.

240 QRadar API Reference Guide

Table 419. GET /config/flow_sources/custom_properties/property_expressions/
{expression_id} response codes
HTTP Response
Code Unique Code Description
200 The requested flow regex property expression was
successfully retrieved.
404 1002 The requested flow regex property expression cannot
be found.
500 1020 An error occurred during the attempt to retrieve the
requested flow regex property expression.

Response Description

A flow regex property expression containing the following fields:

v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property
that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can
verify their regex matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this
low level category.
v payload_origin - BaseProperty - The payload type (source_payload,
destination_payload) to apply the expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

Chapter 6. REST API V8.0 References 241

 POST /config/flow_sources/custom_properties/
property_expressions/{expression_id}
Updates an existing flow regex property expression.

Updates an existing flow regex property expression.

Table 420. POST /config/flow_sources/custom_properties/property_expressions/
{expression_id} resource details
MIME Type
application/json

Table 421. POST /config/flow_sources/custom_properties/property_expressions/

{expression_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
expression_id path Required Number text/plain Required - The
(Integer) sequence ID of the
flow regex property
expression.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get
back in the response.
Fields that are not
named are excluded.
Specify subfields in
brackets and multiple
fields in the same
object are separated
by commas.

242 QRadar API Reference Guide

Table 422. POST /config/flow_sources/custom_properties/property_expressions/
{expression_id} request body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON { "capture_group": 42, "creation_date": 42,
json representation of the flow "enabled": true, "id": 42, "identifier":
regex property expression "String", "low_level_category_id": 42,
object. "modification_date": 42, "payload":
v "String", "payload_origin": "String <one
regex_property_identifier of: event_payload, source_payload,
destination_payload>", "qid": 42, "regex":
- Optional - String - The
"String", "regex_property_identifier":
identifier of the flow
"String", "username": "String" }
regex property that this
expression belongs to.
v enabled - Optional -
Boolean - Flag that
indicates whether this
expression is enabled.
v regex - Optional - String
- The regex to extract the
property from the
payload.
v capture_group -
Optional - Integer - The
capture group to
capture.
v payload - Optional -
String - Test payload.
This is only used in the
UI so that the user can
verify their regex
matches the expected
payload.
v qid - Optional - Integer -
The QID of the flow to
apply this expression to.
v low_level_category_id -
Optional - Integer - The
expression is applied to
all flows with this low
level category.
v payload_origin -
Optional - String - The
payload type
(source_payload,
destination_payload) to
apply the expression to.
v username - Optional -
String - The owner of
the flow regex property
expression. If the input
username is authorized
service, the prefix
"API_token: " is
required.

Table 423. POST /config/flow_sources/custom_properties/property_expressions/

{expression_id} response codes
HTTP Response
Code Unique Code Description
200 The flow regex property expression was updated.
403 1009 The user cannot update the resource because it only
can be updated by the owner or admin user.
404 1002 The requested flow regex property expression cannot
be found.

Chapter 6. REST API V8.0 References 243

 Table 423. POST /config/flow_sources/custom_properties/property_expressions/
{expression_id} response codes (continued)
HTTP Response
Code Unique Code Description
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to update an
flow regex property expression.

Response Description

The updated flow regex property expression object contains the following fields:
v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property
that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can
verify their regex matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this
low level category.
v payload_origin - BaseProperty - The payload type (source_payload,
destination_payload) to apply the expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

DELETE /config/flow_sources/custom_properties/
property_expressions/{expression_id}
Deletes a flow regex property expression based on the supplied expression ID.

Deletes a flow regex property expression based on the supplied expression ID.

244 QRadar API Reference Guide

 Table 424. DELETE /config/flow_sources/custom_properties/property_expressions/
{expression_id} resource details
MIME Type
text/plain

Table 425. DELETE /config/flow_sources/custom_properties/property_expressions/

{expression_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID of the
(Integer) flow_regex_property_expression.

Table 426. DELETE /config/flow_sources/custom_properties/property_expressions/

{expression_id} response codes
HTTP Response
Code Unique Code Description
204 The requested flow regex property expression was
successfully deleted.
403 1009 The user cannot delete the resource because it only
can be deleted by the owner or admin user.
404 1002 The requested flow regex property expression cannot
be found.
500 1020 An error occurred during the attempt to delete the
requested flow regex property expression.

Response Description

Response Sample

GET /config/flow_sources/custom_properties/regex_properties
Retrieves a list of flow regex properties.

Retrieves a list of flow regex properties.

Table 427. GET /config/flow_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 245

 Table 428. GET /config/flow_sources/custom_properties/regex_properties request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 429. GET /config/flow_sources/custom_properties/regex_properties response codes

HTTP Response
Code Unique Code Description
200 The requested list of flow regex properties was
retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the
list of flow regex properties.

Response Description
A list of flow regex properties. Each regex property contains the following fields:
v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of
flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex
property is parsed when the flow was captured.
v datetime_format - String - The date/time pattern that the flow regex property
matches.

246 QRadar API Reference Guide

 v locale - String - The language tag of the locale that the property matches.
.

Response Sample
[
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}
]

POST /config/flow_sources/custom_properties/
regex_properties
Creates a new flow regex property.

Creates a new flow regex property.

Table 430. POST /config/flow_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Table 431. POST /config/flow_sources/custom_properties/regex_properties request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 247

 Table 432. POST /config/flow_sources/custom_properties/regex_properties request body
details
MIME
Parameter Data Type Type Description Sample
data Object application/ Required - A JSON representation of { "creation_date": 42,
json the flow regex property object. "datetime_format": "String",
v name - Required - String - The "description": "String", "id": 42,
name of the flow regex property. "identifier": "String", "locale":
"String", "modification_date": 42,
v description - Optional - String - "name": "String", "property_type":
The description of the flow regex "String <one of: string, numeric, ip,
property. port, time>", "use_for_rule_engine":
v property_type - Required - String true, "username": "String" }
- The property type (string,
numeric, ip, port, time) of flow
regex property.
v use_for_rule_engine - Optional -
Boolean - The flag that indicates
if the flow regex property is
parsed when the flow was
captured.
v datetime_format - Optional -
String - The date/time pattern
that the flow regex property
matches. It is required when
property type is TIME.
v locale - Optional - String - The
language tag of the locale that the
property matches. The locale is
required when property type is
TIME.

Table 433. POST /config/flow_sources/custom_properties/regex_properties response codes

HTTP Response
Code Unique Code Description
201 A new flow regex property was created.
422 1005 One or more request parameter are invalid in the
request.
500 1020 An error occurred during the attempt to create a
new flow regex property.

Response Description

The newly created flow regex property that contains the following fields:
v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of
flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex
property is parsed when the flow was captured.
v datetime_format - String - The date/time pattern that the flow regex property
matches.
v locale - String - The language tag of the locale that the property matches.

248 QRadar API Reference Guide

 Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

GET /config/flow_sources/custom_properties/
regex_properties/{regex_property_id}
Retrieves a flow regex property based on the supplied regex property ID.

Retrieves a flow regex property based on the supplied regex property ID.
Table 434. GET /config/flow_sources/custom_properties/regex_properties/
{regex_property_id} resource details
MIME Type
application/json

Table 435. GET /config/flow_sources/custom_properties/regex_properties/

{regex_property_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain Required - The sequence ID
(Integer) of the flow_regex_property.
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 436. GET /config/flow_sources/custom_properties/regex_properties/

{regex_property_id} response codes
HTTP Response
Code Unique Code Description
200 The requested flow regex property was successfully
retrieved.
404 1002 The requested flow regex property cannot be found.
500 1020 An error occurred during the attempt to retrieve the
requested flow regex property.

Response Description

A flow regex property that contains the following fields:

v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.

Chapter 6. REST API V8.0 References 249

 v name - String - The name of the flow regex property.
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of
flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex
property is parsed when the flow was captured.
v datetime_format - String - The date/time pattern that the flow regex property
matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

POST /config/flow_sources/custom_properties/
regex_properties/{regex_property_id}
Updates an existing flow regex property.

Updates an existing flow regex property.

Table 437. POST /config/flow_sources/custom_properties/regex_properties/
{regex_property_id} resource details
MIME Type
application/json

Table 438. POST /config/flow_sources/custom_properties/regex_properties/

{regex_property_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain Required - The sequence ID
(Integer) of the flow regex property.
fields header Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

250 QRadar API Reference Guide

Table 439. POST /config/flow_sources/custom_properties/regex_properties/
{regex_property_id} request body details
MIME
Parameter Data Type Type Description Sample
data Object application/ Required - A JSON { "creation_date": 42,
json representation of the "datetime_format":
flow regex property "String", "description":
object. "String", "id": 42,
v description - "identifier": "String",
Optional - String - "locale": "String",
The description of the "modification_date": 42,
flow regex property. "name": "String",
"property_type": "String
v property_type -
<one of: string,
Optional - String -
numeric, ip, port,
The property type
time>",
(string, numeric, ip,
"use_for_rule_engine":
port, time) of flow
true, "username":
regex property.
"String" }
v use_for_rule_engine -
Optional - Boolean -
The flag that
indicates if the flow
regex property is
parsed when the flow
is captured. It is false
if no value supplied.
v datetime_format -
Optional - String -
The date/time
pattern that the flow
regex property
matches. It is
required when
property type is
TIME.
v locale - Optional -
String - The language
tag of the locale that
the property
matches.The locale is
required when
property type is
TIME.
v username - Optional
- String - The owner
of the event regex
property. If the input
username is
authorized service,
the prefix "API_token:
" is required.

Chapter 6. REST API V8.0 References 251

 Table 440. POST /config/flow_sources/custom_properties/regex_properties/
{regex_property_id} response codes
HTTP Response
Code Unique Code Description
200 The flow regex property was updated.
403 1009 The user cannot update the resourse because it only
can be updated by the owner or admin user.
404 1002 The requested flow regex property cannot be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to update an
flow regex property.

Response Description

The updated flow regex property object contains the following fields:
v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of
flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex
property is parsed when the flow is captured.
v datetime_format - String - The date/time pattern that the flow regex property
matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

DELETE /config/flow_sources/custom_properties/
regex_properties/{regex_property_id}
Deletes a flow regex property. To ensure safe deletion, a dependency check is
carried out. This check might take some time. An asynchronous task is started to
do this check.

Deletes a flow regex property. To ensure safe deletion, a dependency check is

carried out. This check might take some time. An asynchronous task is started to
do this check.

252 QRadar API Reference Guide

Table 441. DELETE /config/flow_sources/custom_properties/regex_properties/
{regex_property_id} resource details
MIME Type
application/json

Table 442. DELETE /config/flow_sources/custom_properties/regex_properties/

{regex_property_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain Required - The sequence ID
(Integer) of the Flow Regex property
to delete.
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 443. DELETE /config/flow_sources/custom_properties/regex_properties/

{regex_property_id} response codes
HTTP Response
Code Unique Code Description
202 The flow regex property delete request was accepted
and is in progress
403 1009 The user cannot delete the regex_property because it
only can be deleted by the owner or admin user.
404 1002 The requested flow regex property cannot be found.
500 1020 An error occurred during the attempt to delete the
flow regex property.

Response Description

A Delete Task Status object and the location header set to the task status URL
"/api/config/flow_sources/custom_properties/regex_property_delete_tasks/
{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task .
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Chapter 6. REST API V8.0 References 253

 Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /config/flow_sources/custom_properties/
regex_properties/{regex_property_id}/dependents
Retrieves the objects that depend on the flow regex property.

Retrieves the objects that depend on the flow regex property.

Table 444. GET /config/flow_sources/custom_properties/regex_properties/
{regex_property_id}/dependents resource details
MIME Type
application/json

Table 445. GET /config/flow_sources/custom_properties/regex_properties/

{regex_property_id}/dependents request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 446. GET /config/flow_sources/custom_properties/regex_properties/

{regex_property_id}/dependents response codes
HTTP Response
Code Unique Code Description
202 The flow regex property dependents retrieval was
accepted and is in progress.
404 1002 The flow regex property does not exist.

254 QRadar API Reference Guide

Table 446. GET /config/flow_sources/custom_properties/regex_properties/
{regex_property_id}/dependents response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred during the attempt to initiate the
flow regex property dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status URL
"/api/config/flow_sources/custom_properties/regex_property_dependents_tasks/
{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,

Chapter 6. REST API V8.0 References 255

 "created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

256 QRadar API Reference Guide

GET /config/flow_sources/custom_properties/
regex_property_dependent_tasks/{task_id}
Retrieves the flow regex property dependent task status.

Retrieves the flow regex property dependent task status.

Table 447. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id} resource details
MIME Type
application/json

Table 448. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/

{task_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 449. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/

{task_id} response codes
HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The requested task status cannot be found.
422 1005 The task id is invalid in the request.
500 1020 An error occurred during the attempt to retrieve the
task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL
"/api/config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.

Chapter 6. REST API V8.0 References 257

 v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,

258 QRadar API Reference Guide

 "maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /config/flow_sources/custom_properties/
regex_property_dependent_tasks/{task_id}
Cancels the flow regex property dependent task.

Cancels the flow regex property dependent task.

Table 450. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id} resource details
MIME Type
application/json

Table 451. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/

{task_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

Chapter 6. REST API V8.0 References 259

 Table 451. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 452. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/

{task_id} request body details
MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Table 453. POST /config/flow_sources/custom_properties/regex_property_dependent_tasks/

{task_id} response codes
HTTP Response
Code Unique Code Description
200 The delete task status was cancelled.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL
"/api/config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.

260 QRadar API Reference Guide

v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,

Chapter 6. REST API V8.0 References 261

 QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/flow_sources/custom_properties/
regex_property_dependent_tasks/{task_id}/results
Retrieves the regex property dependent task results.

Retrieves the regex property dependent task results.

Table 454. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id}/results resource details
MIME Type
application/json

262 QRadar API Reference Guide

Table 455. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id}/results request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 456. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/

{task_id}/results response codes
HTTP Response
Code Unique Code Description
200 The requested task results was retrieved.
404 1002 The requested task status cannot be found.
500 1020 An error occurred during the attempt to retrieve the
task status.

Response Description

A list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has
permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:

Chapter 6. REST API V8.0 References 263

 ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /config/global_system_notifications
Retrieves a list of all deployed global system notifications.

Retrieves the list of deployed global system notifications.

Table 457. GET /config/global_system_notifications resource details
MIME Type
application/json

264 QRadar API Reference Guide

Table 458. GET /config/global_system_notifications request parameter details
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 459. GET /config/global_system_notifications response codes

HTTP Response
Code Unique Code Description
200 The deployed global system notifications list was
successfully retrieved.
500 1020 An internal server error occurred during the
retrieval of the list of deployed global system
notifications.

Response Description

A list of all deployed global system notifications. A notification contains the

following fields:
v id - Long - The ID of the notification.
v name - String - The name of the notification.
v operator - String - The notification criteria operator.
v value - String - The notification criteria value.
v message - Double - The notification message.
v default - Boolean - Whether the notification message is modified by the user or
not.
v enabled - Boolean - Whether the notification is enabled or not.

Chapter 6. REST API V8.0 References 265

 Response Sample
[
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}
]

GET /config/global_system_notifications/{notification_id}
Retrieves a deployed global system notification by ID.

Retrieves a deployed global system notification by ID.

Table 460. GET /config/global_system_notifications/{notification_id} resource details
MIME Type
application/json

Table 461. GET /config/global_system_notifications/{notification_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
notification_id path Required Number text/plain ID that is used for
(Integer) retrieving a deployed
global system
notification.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 462. GET /config/global_system_notifications/{notification_id} response codes

HTTP Response
Code Unique Code Description
200 The deployed global system notification was
successfully retrieved.
404 1002 No deployed global system notification was found
for the provided notification ID.
500 1020 An error occurred while the notification was being
retrieved.

Response Description

The associated deployed global system notification object. A notification contains

the following fields:
v id - Long - The ID of the notification.

266 QRadar API Reference Guide

 v name - String - The name of the notification.
v operator - String - The notification criteria operator.
v value - String - The notification criteria value.
v message - Double - The notification message.
v default - Boolean - Whether the notification message is modified by the user or
not.
v enabled - Boolean - Whether the notification is enabled or not.

Response Sample
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}

GET /config/network_hierarchy/networks
Retrieves the deployed network hierarchy.

Retrieves the deployed network hierarchy.

Table 463. GET /config/network_hierarchy/networks resource details
MIME Type
application/json

Table 464. GET /config/network_hierarchy/networks request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 465. GET /config/network_hierarchy/networks response codes

HTTP Response
Code Unique Code Description
200 The network hierarchy was returned.
500 1020 An error occurred during the attempt to retreive the
network hierarchy.

Chapter 6. REST API V8.0 References 267

 Response Description

Network Hierarchy - A JSON string that contains network_hierarchy objects with

the following fields:
v id - Integer - The ID of the network object.
v group - String - The group of the network object.
v name - String - The name of the network object.
v cidr - String - The CIDR range of the network object.
v description - String - The description of the network object.
v domain_id - Integer - The domain ID of the network object.

Response Sample
[
{
"cidr": "String",
"description": "String",
"domain_id": 42,
"group": "String",
"id": 42,
"name": "String"
}
]

GET /config/network_hierarchy/staged_networks
Retrieves the staged network hierarchy.

Retrieves the staged network hierarchy.

Table 466. GET /config/network_hierarchy/staged_networks resource details
MIME Type
application/json

Table 467. GET /config/network_hierarchy/staged_networks request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 468. GET /config/network_hierarchy/staged_networks response codes

HTTP Response
Code Unique Code Description
200 The network hierarchy was returned
500 1020 An error occurred during the attempt to retreive the
network hierarchy

268 QRadar API Reference Guide

 Response Description

Network Hierarchy - A JSON string that contains network_hierarchy objects with

the following fields:
v id - Integer - The ID of the network object.
v group - String - The group of the network object.
v name - String - The name of the network object.
v cidr - String - The CIDR range of the network object.
v description - String - The description of the network object.
v domain_id - Integer - The domain ID of the network object.

Response Sample
[
{
"cidr": "String",
"description": "String",
"domain_id": 42,
"group": "String",
"id": 42,
"name": "String"
}
]

PUT /config/network_hierarchy/staged_networks
Replaces the current network hierarchy with the input that is provided.

Replaces the current network hierarchy with the input that is provided.
Table 469. PUT /config/network_hierarchy/staged_networks resource details
MIME Type
application/json

Table 470. PUT /config/network_hierarchy/staged_networks request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 269

 Table 471. PUT /config/network_hierarchy/staged_networks request body details
Parameter Data Type MIME Type Description Sample
network_hierarchy Array<Object> application/ Required - A JSON String that [ { "id": 4, "group": "DMZ", "name":
json contains network hierarchy objects "External", "description": "network
with the following fields: description", "cidr": "0.0.0.1/32",
"domain_id": 0 }, { "id": 5, "group":
v id - Optional - Integer - The ID of
"DMZ", "name": "External",
the network object.
"description": "network description",
v group - Required - String - The "cidr": "0.0.0.2/32", "domain_id": 0 } ]
group of the network object.
v name - Required - String - The
name of the network object.
v cidr - Required - String - The
CIDR range of the network object.
v description - Optional - String -
The description of the network
object.
v domain_id - Optional - Integer -
The domain ID of the network
object (required if domain aware).

Table 472. PUT /config/network_hierarchy/staged_networks response codes

HTTP Response
Code Unique Code Description
200 The network hierarchy was successfully replaced.
409 1004 A duplicate parameter was passed to the API call.
422 1005 An invalid parameter was passed to the API call.
500 1020 An unexpected error occurred during the creation of
the network hierarchy.

Response Description

Network Hierarchy - A JSON string that contains network_hierarchy objects, each

with the following fields:
v id - Integer - The ID of the network object.
v group - String - The group of the network object.
v name - String - The name of the network object.
v cidr - String - The CIDR range of the network object.
v description - String - The description of the network object.
v domain_id - Integer - The domain ID of the network object.

Response Sample
[
{
"cidr": "String",
"description": "String",
"domain_id": 42,
"group": "String",
"id": 42,
"name": "String"
}
]

GET /config/remote_networks
Retrieves a list of deployed remote networks.

Retrieves the list of deployed remote networks

270 QRadar API Reference Guide

Table 473. GET /config/remote_networks resource details
MIME Type
application/json

Table 474. GET /config/remote_networks request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you want
to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets.
Multiple fields in the
same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list based on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 475. GET /config/remote_networks response codes

HTTP Response
Code Unique Code Description
200 The deployed remote networks list was successfully
retrieved.
500 1020 An internal server error occurred during the
retrieval of the list of deployed remote networks.

Response Description

A list of deployed remote networks.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the
remote network.

Chapter 6. REST API V8.0 References 271

 Response Sample
[
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}
]

GET /config/remote_networks/{network_id}
Retrieves a deployed remote network by ID.

Retrieves a deployed remote network by ID.

Table 476. GET /config/remote_networks/{network_id} resource details
MIME Type
application/json

Table 477. GET /config/remote_networks/{network_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
network_id path Required Number text/plain ID that is used to
(Integer) retrieve a deployed
remote network.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets.
Multiple fields in the
same object are
separated by commas.

Table 478. GET /config/remote_networks/{network_id} response codes

HTTP Response
Code Unique Code Description
200 The deployed remote network was successfully
retrieved.
404 1002 No deployed remote network was found with the
provided ID.
500 1020 An error occurred during the retrieval of the remote
network.

Response Description

The associated deployed remote network object.

v id - Long - The ID of the remote network.

272 QRadar API Reference Guide

 v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the
remote network.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

GET /config/remote_services
Retrieves a list of deployed remote services.

Retrieves the list of deployed remote services.

Table 479. GET /config/remote_services resource details
MIME Type
application/json

Table 480. GET /config/remote_services request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets.
Multiple fields in the
same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Chapter 6. REST API V8.0 References 273

 Table 481. GET /config/remote_services response codes
HTTP Response
Code Unique Code Description
200 The deployed remote services list was successfully
retrieved.
500 1020 An internal server error occurred during the
retrieval of the list of deployed remote services.

Response Description

A list of deployed remote services.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the
remote service.

Response Sample
[
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}
]

GET /config/remote_services/{service_id}
Retrieves a deployed remote service by ID.

Retrieves a deployed remote service by ID.

Table 482. GET /config/remote_services/{service_id} resource details
MIME Type
application/json

Table 483. GET /config/remote_services/{service_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
service_id path Required Number text/plain ID that is used for
(Integer) retrieving a deployed
remote service.

274 QRadar API Reference Guide

 Table 483. GET /config/remote_services/{service_id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets.
Multiple fields in the
same object are
separated by commas.

Table 484. GET /config/remote_services/{service_id} response codes

HTTP Response
Code Unique Code Description
200 The deployed remote service was successfully
retrieved.
404 1002 No deployed remote service was found with the
provided ID.
500 1020 An error occurred during the retrieval of the remote
service.

Response Description

The associated deployed remote service object.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the
remote service.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

GET /config/resource_restrictions
Retrieves a list of all resource restrictions.

Retrieves the list of all resource restrictions.

Chapter 6. REST API V8.0 References 275

 Table 485. GET /config/resource_restrictions resource details
MIME Type
application/json

Table 486. GET /config/resource_restrictions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 487. GET /config/resource_restrictions response codes

HTTP Response
Code Unique Code Description
200 The resource restriction list was successfully
retrieved.
500 1001 An error occurred during the attempt to retrieve the
restriction list.

Response Description

A list of all the restrictions.

Response Sample
[
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,

276 QRadar API Reference Guide

 "tenant_id": 42,
"user_id": 42
}
]

POST /config/resource_restrictions
Creates a new resource restriction.

Creates a new resource restriction.

Table 488. POST /config/resource_restrictions resource details
MIME Type
application/json

Table 489. POST /config/resource_restrictions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 490. POST /config/resource_restrictions request body details

Parameter Data Type MIME Type Description Sample
resourceRestriction Object application/ Required - The resource { "data_window": 42,
json restriction to be added. "execution_time": 42, "id":
Only one of the ID fields "String", "record_limit":
(user_id, tenant_id, 42, "role_id": 42,
role_id) can be provided. "tenant_id": 42, "user_id":
42 }

Table 491. POST /config/resource_restrictions response codes

HTTP Response
Code Unique Code Description
200 The new resource restriction was successfully
created.
404 1009 The consumer (user, tenant, or role) provided was
not found.
422 1008 One of: user_id, role_id, or tenant_id
500 1010 An error occurred during the attempt to create a
resource restriction.

Response Description
The associated restriction object.

Chapter 6. REST API V8.0 References 277

 Response Sample
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}

GET /config/resource_restrictions/{resource_restriction_id}
Retrieves a resource restriction consumer by ID.

Retrieves a resource restriction consumer by ID.

Table 492. GET /config/resource_restrictions/{resource_restriction_id} resource details
MIME Type
application/json

Table 493. GET /config/resource_restrictions/{resource_restriction_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
resource_restriction_id path Required String text/plain Required - The
resource restriction ID
of the resource
restriction to be
retrieved. Must be of
the format [1-3]-\d+
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 494. GET /config/resource_restrictions/{resource_restriction_id} response codes

HTTP Response
Code Unique Code Description
200 The resource restriction consumer was successfully
retrieved.
404 1003 No such resource restriction consumer (user, tenant,
or role) exists for the given ID.
422 1002 Provided ID is not a valid format. must be [1-3]-\d+
500 1004 An error occurred during the retrtieval resource
restrictions.

Response Description

The associated restriction object.

278 QRadar API Reference Guide

 Response Sample
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}

DELETE /config/resource_restrictions/
{resource_restriction_id}
Deletes a resource restriction consumer by ID.

Deletes a resource restriction consumer by ID.

Table 495. DELETE /config/resource_restrictions/{resource_restriction_id} resource details
MIME Type
text/plain

Table 496. DELETE /config/resource_restrictions/{resource_restriction_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
resource_restriction_id path Required String text/plain Required - The
resource restriction ID
of the resource
restriction to be
retrieved. Must be of
the format [1-3]-\d+

Table 497. DELETE /config/resource_restrictions/{resource_restriction_id} response codes

HTTP Response
Code Unique Code Description
204 The resource restriction consumer was successfully
deleted.
404 1003 null
422 1002 Provided ID is not a valid format. Must be of the
format [1-3]-\d+
500 1004 An error occurred during the retrieval of the
resource restrictions.

Response Description

The deleted restriction object.

Response Sample

PUT /config/resource_restrictions/{resource_restriction_id}
Updates a resource restriction consumer by ID.

Updates a resource restriction consumer by ID.

Chapter 6. REST API V8.0 References 279

 Table 498. PUT /config/resource_restrictions/{resource_restriction_id} resource details
MIME Type
application/json

Table 499. PUT /config/resource_restrictions/{resource_restriction_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
resource_restriction_id path Required String text/plain Required - The
resource restriction ID
of the resource
restriction to be
updated. Must be of
the format [1-3]-\d+
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 500. PUT /config/resource_restrictions/{resource_restriction_id} request body details

Parameter Data Type MIME Type Description Sample
resourceRestriction Object application/ Required - The resource { "data_window": 42,
json restrictions to be "execution_time": 42, "id":
updated. "String", "record_limit":
42, "role_id": 42,
"tenant_id": 42, "user_id":
42 }

Table 501. PUT /config/resource_restrictions/{resource_restriction_id} response codes

HTTP Response
Code Unique Code Description
200 The resource restriction consumer was successfully
updated.
404 1006 The resource restriction consumer (user, tenant, or
role) wasn't found.
422 1005 Provided ID is not a valid format. Must be of the
format [1-3]-\d+
500 1007 An error occurred during the retrieval of the
resource restriction.

Response Description
The associated restriction object.

Response Sample
{
"data_window": 42,
"execution_time": 42,

280 QRadar API Reference Guide

 "id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}

GET /config/store_and_forward/policies
Retrieves a list of store and forward policies.

Retrieves a list of store and forward policies.

Table 502. GET /config/store_and_forward/policies resource details
MIME Type
application/json

Table 503. GET /config/store_and_forward/policies request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 504. GET /config/store_and_forward/policies response codes

HTTP Response
Code Unique Code Description
200 The store and forward policies were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
store and forward policies.

Chapter 6. REST API V8.0 References 281

 Response Description

An array of Store and Forward Policy objects. An Store and Forward Policy object
contains the following fields:
v id - Long - The ID of the store and forward policy.
v name - String - The name of the store and forward policy.
v description - String - The description of the store and forward policy.
v timezone - String - The timezone of the store and forward policy.
v owner - String - The owner of the store and forward policy.
v store_and_forward_schedule_id - Long - The schedule ID of the store and
forward policy.
v created - Long - The time in milliseconds since epoch since the store and
forward policy was created.
v modified - Long - The time in milliseconds since epoch since the store and
forward policy was last modified.

Response Sample
[
{
"created": 42,
"description": "String",
"id": 42,
"modified": 42,
"name": "String",
"owner": "String",
"saf_schedule_id": 42,
"timezone": "String"
}
]

GET /config/store_and_forward/policies/{id}
Retrieves a store and forward policy.

Retrieves a store and forward policy.

Table 505. GET /config/store_and_forward/policies/{id} resource details
MIME Type
application/json

Table 506. GET /config/store_and_forward/policies/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

282 QRadar API Reference Guide

Table 506. GET /config/store_and_forward/policies/{id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 507. GET /config/store_and_forward/policies/{id} response codes

HTTP Response
Code Unique Code Description
200 The store and forward policy was retrieved.
404 1002 The store and forward policy does not exist.
500 1020 An error occurred during the attempt to retrieve the
store and forward policy.

Response Description

The store and forward policy after it has been retrieved. An Store and Forward
Policy object contains the following fields:
v id - Long - The ID of the store and forward policy.
v name - String - The name of the store and forward policy.
v description - String - The description of the store and forward policy.
v timezone - String - The timezone of the store and forward policy.
v owner - String - The owner of the store and forward policy.
v store_and_forward_schedule_id - Long - The schedule ID of the store and
forward policy.
v created - Long - The time in milliseconds since epoch since the store and
forward policy was created.
v modified - Long - The time in milliseconds since epoch since the store and
forward policy was last modified.

Response Sample
{
"created": 42,
"description": "String",
"id": 42,
"modified": 42,
"name": "String",
"owner": "String",
"saf_schedule_id": 42,
"timezone": "String"
}

Chapter 6. REST API V8.0 References 283

 POST /config/store_and_forward/policies/{id}
Updates the store and forward policy owner only.

Updates the store and forward policy owner only

Table 508. POST /config/store_and_forward/policies/{id} resource details
MIME Type
application/json

Table 509. POST /config/store_and_forward/policies/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 510. POST /config/store_and_forward/policies/{id} request body details

MIME
Parameter Data Type Type Description Sample
policy Object application/ null { "description": "String",
json "id": 42, "name":
"String", "owner":
"String",
"saf_schedule_id": 42,
"timezone": "String" }

Table 511. POST /config/store_and_forward/policies/{id} response codes

HTTP Response
Code Unique Code Description
200 The store and forward policy has been updated.
403 1009 You do not have the required capabilities to update
the store and forward policy.
404 1002 The store and forward policy does not exist.
409 1004 The provided user does not have the required
capabilities to own the store and forward policy.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
store and forward policy.

284 QRadar API Reference Guide

 Response Description

The store and forward policy after it was updated. An Store and Forward Policy
object contains the following fields:
v id - Long - The ID of the store and forward policy.
v name - String - The name of the store and forward policy.
v description - String - The description of the store and forward policy.
v timezone - String - The timezone of the store and forward policy.
v owner - String - The owner of the store and forward policy.
v store_and_forward_schedule_id - Long - The schedule ID of the store and
forward policy.
v created - Long - The time in milliseconds since epoch since the store and
forward policy was created.
v modified - Long - The time in milliseconds since epoch since the store and
forward policy was last modified.

Response Sample
{
"created": 42,
"description": "String",
"id": 42,
"modified": 42,
"name": "String",
"owner": "String",
"saf_schedule_id": 42,
"timezone": "String"
}

DELETE /config/store_and_forward/policies/{id}
Deletes a store and forward policy.

Deletes a store and forward policy.

Table 512. DELETE /config/store_and_forward/policies/{id} resource details
MIME Type
text/plain

Table 513. DELETE /config/store_and_forward/policies/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

Table 514. DELETE /config/store_and_forward/policies/{id} response codes

HTTP Response
Code Unique Code Description
204 The Store and Forward Policy has been deleted
403 1009 You do not have the required capabilities to delete
the store and forward policy
404 1002 The Store and Forward Policy does not exist

Chapter 6. REST API V8.0 References 285

 Table 514. DELETE /config/store_and_forward/policies/{id} response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred during the attempt to delete the
store and forward policy

Response Description
Response Sample

Data classification endpoints

Use the references for REST API V8.0 data classification endpoints.

GET /data_classification/dsm_event_mappings
Retrieve a list of DSM event mappings.

Retrieves a list of DSM event mappings.

Table 515. GET /data_classification/dsm_event_mappings resource details
MIME Type
application/json

Table 516. GET /data_classification/dsm_event_mappings request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

286 QRadar API Reference Guide

 Table 517. GET /data_classification/dsm_event_mappings response codes
HTTP Response
Code Unique Code Description
200 The requested list of DSM event mappings was
retrieved.
500 1020 An error occurred during the attempt to retrieve the
list of DSM event mappings.

Response Description

A list of DSM event mappings. A DSM event mapping contains the following
fields:
v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event
mapping resource is associated with.
v log_source_event_id - String - The primary identifying value parsed from an
event to be used to look up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed
from an event to be used to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system
provided (custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event
mapping provides a mapping.

Response Sample
[
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}
]

POST /data_classification/dsm_event_mappings
Creates a new custom DSM event mapping.

Creates a new custom DSM event mapping.

Table 518. POST /data_classification/dsm_event_mappings resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 287

 Table 519. POST /data_classification/dsm_event_mappings request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 520. POST /data_classification/dsm_event_mappings request body details

Parameter Data Type MIME Type Description Sample
data Object application/ Required - A DSM event { "log_source_event_category":
json mapping that contains the "String", "log_source_event_id":
following fields: "String", "log_source_type_id": 42,
v log_source_type_id - "qid_record_id": 42 }
Required - Number - The ID
of the Log Source Type this
DSM event mapping resource
is associated with.
v log_source_event_id -
Required - String - The
primary identifying value
parsed from an event to be
used to look up the
corresponding QID record.
v log_source_event_category -
Required - String - The
secondary identifying value
parsed from an event to be
used to look up the
corresponding QID record.
v qid_record_id - Required -
Number - The ID of the QID
record to which this DSM
event mapping provides a
mapping.

Table 521. POST /data_classification/dsm_event_mappings response codes

HTTP Response
Code Unique Code Description
201 The new custom DSM event mapping was created.
409 1008 There is an existing custom DSM event mapping
with same the log_source_type_id,
log_source_event_id and log_source_event_category
combination. Cannot create duplicate DSM event
mapping.
422 1005 Invalid parameter value provided for the new DSM
event mapping.
500 1020 An error occurred during the attempt to create a
new custom DSM event mapping.

288 QRadar API Reference Guide

 Response Description

The newly created DSM event mapping that contains the following fields:
v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event
mapping resource is associated with.
v log_source_event_id - String - The primary identifying value parsed from an
event to be used to look up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed
from an event to be used to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system
provided (custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event
mapping provides a mapping.

Response Sample
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}

GET /data_classification/dsm_event_mappings/
{dsm_event_mapping_id}
Retrieves a DSM event mapping based on the supplied DSM event mapping ID.

Retrieves a DSM event mapping based on the supplied DSM event mapping ID.
Table 522. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id}
resource details
MIME Type
application/json

Table 523. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
dsm_event_mapping_id path Required Number text/plain Required - The ID of the
(Integer) DSM event mapping.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Chapter 6. REST API V8.0 References 289

 Table 524. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id}
response codes
HTTP Response
Code Unique Code Description
200 The requested DSM event mapping was retrieved.
404 1002 The requested DSM event mapping was not found.
500 1020 An error occurred during the attempt to retrieve the
DSM event mapping.

Response Description

A DSM event mapping that contains the following fields:

v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event
mapping resource is associated with.
v log_source_event_id - String - The primary identifying value parsed from an
event to be used to look up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed
from an event to be used to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system
provided (custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event
mapping provides a mapping.

Response Sample
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}

POST /data_classification/dsm_event_mappings/
{dsm_event_mapping_id}
Updates an existing custom DSM event mapping.

Updates an existing custom DSM event mapping.

Table 525. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id}
resource details
MIME Type
application/json

Table 526. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id}

request parameter details
Parameter Type Optionality Data Type MIME Type Description
dsm_event_mapping_id path Required Number text/plain Required - The ID of the
(Integer) DSM event mapping.

290 QRadar API Reference Guide

Table 526. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id}
request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 527. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id}

request body details
MIME
Parameter Data Type Type Description Sample
data Object application/ Required - The DSM { "qid_record_id": 42 }
json event mapping to be
updated that might
contain the following
field:
v qid_record_id -
Number - Required -
The ID of the QID
record to which this
DSM event mapping
provides a mapping.

Table 528. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id}

response codes
HTTP Response
Code Unique Code Description
200 The DSM event mapping was updated.
404 1002 The requested DSM event mapping was not found.
422 1005 Invalid parameter provided while updating the DSM
event mapping.
500 1020 An error occurred during the attempt to update a
DSM event mapping.

Response Description

The updated DSM event mapping that contains the following fields:
v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event
mapping resource is associated with.
v log_source_event_id - String - The primary identifying value parsed from an
event to be used to look up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed
from an event to be used to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system
provided (custom_event=false) or user-provided (custom_event=true).

Chapter 6. REST API V8.0 References 291

 v qid_record_id - Number - The ID of the QID record to which this DSM event
mapping provides a mapping.

Response Sample
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}

GET /data_classification/high_level_categories
Retrieves a list of high level categories.

Retrieves a list of high level categories.

Table 529. GET /data_classification/high_level_categories resource details
MIME Type
application/json

Table 530. GET /data_classification/high_level_categories request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
sort query Optional String text/plain Optional - This
parameter is used to
sort the elements in a
list.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

292 QRadar API Reference Guide

 Table 531. GET /data_classification/high_level_categories response codes
HTTP Response
Code Unique Code Description
200 The requested list of high level categories was
retrieved.
422 23003 Sorting is only supported for fields "id" or "name".
422 23004 The sort field that was provided does not exist.
422 23005 Sorting on multiple fields is not supported.
500 1020 An error occurred during the attempt to retrieve the
list of high level categories.

Response Description

A list of high level categories. A high level category contains the following fields:
v id - Number - The ID of the high level category.
v name - String - The name of the high level category.
v description - String - The description of the high level category.

Response Sample
[
{
"id": 19000,
"name": "Audit",
"description": "Audit"
},
{
"id": 20000,
"name": "Risk",
"description": "Risk"
}
]

GET /data_classification/high_level_categories/
{high_level_category_id}
Retrieves a high level category based on the supplied high level category ID.

Retrieves a high level category based on the supplied high level category ID.
Table 532. GET /data_classification/high_level_categories/{high_level_category_id} resource
details
MIME Type
application/json

Table 533. GET /data_classification/high_level_categories/{high_level_category_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
high_level_category_id path Required Number text/plain Required - the ID of the
(Integer) high level category.

Chapter 6. REST API V8.0 References 293

 Table 533. GET /data_classification/high_level_categories/{high_level_category_id} request
parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 534. GET /data_classification/high_level_categories/{high_level_category_id} response

codes
HTTP Response
Code Unique Code Description
200 The requested high level category was retrieved.
404 1002 The requested high level category was not found.
422 1005 High level category ID must be a positive integer.
500 1020 An error occurred during the attempt to retrieve the
high level category.

Response Description

A high level category that contains the following fields:

v id - Number - The ID of the high level category.
v name - String - The name of the high level category.
v description - String - The description of the high level category.

Response Sample
{
"id": 19000,
"name": "Audit",
"description": "Audit",
}

GET /data_classification/low_level_categories
Retrieves a list of low level categories.

Retrieves a list of low level categories.

Table 535. GET /data_classification/low_level_categories resource details
MIME Type
application/json

294 QRadar API Reference Guide

Table 536. GET /data_classification/low_level_categories request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
sort query Optional String text/plain Optional - This
parameter is used to
sort the elements in a
list.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 537. GET /data_classification/low_level_categories response codes

HTTP Response
Code Unique Code Description
200 The requested list of low level categories was
retrieved.
422 23053 Sorting is only supported for fields "id" or "name"
422 23054 The sort field that was provided does not exist.
422 23055 Sorting on multiple fields is not supported.
500 1020 An error occurred during the attempt to retrieve the
list of low level categories.

Response Description

A list of low level category objects. A low level category contains the following
fields:
v id - Number - The ID of the low level category.
v name - String - The name of the low level category.
v description - String - The description of the low level category.
v severity - Number - The severity of the low level category.
v high_level_category_id - Number - The ID of the parent high level category.

Chapter 6. REST API V8.0 References 295

 Response Sample
[
{
"id": 19001,
"name": "General Audit Event",
"description": "General Audit Event",
"high_level_category_id": 19000,
"severity" : 0
},
{
"id": 19002,
"name": "Built-in Execution",
"description": " Built-in Execution",
"high_level_category_id": 19000,
"severity" : 0
}
]

GET /data_classification/low_level_categories/
{low_level_category_id}
Retrieves a low level category based on the supplied low level category ID.

Retrieves a low level category that is based on the supplied low level category ID.
Table 538. GET /data_classification/low_level_categories/{low_level_category_id} resource
details
MIME Type
application/json

Table 539. GET /data_classification/low_level_categories/{low_level_category_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
low_level_category_id path Required Number text/plain Required - The id of the
(Integer) low level category.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 540. GET /data_classification/low_level_categories/{low_level_category_id} response

codes
HTTP Response
Code Unique Code Description
200 The requested low level category was retrieved.
404 1002 The requested low level category was not found.
422 1005 Low level category ID must be a positive integer.
500 1020 An error occurred during the attempt to retrieve the
low level category.

296 QRadar API Reference Guide

 Response Description

A low level category that contains the following fields:

v id - Number - The ID of the low level category.
v name - String - The name of the low level category.
v description - String - The description of the low level category.
v severity - Number - The severity of the low level category.
v high_level_category_id - Number - The ID of the parent high level category.

Response Sample
{
"id": 19001,
"name": "General Audit Event",
"description": "General Audit Event",
"high_level_category_id": 19000,
"severity" : 0
}

GET /data_classification/qid_records
Retrieves a list of QID records.

Retrieves a list of QID records.

Table 541. GET /data_classification/qid_records resource details
MIME Type
application/json

Table 542. GET /data_classification/qid_records request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 6. REST API V8.0 References 297

 Table 543. GET /data_classification/qid_records response codes
HTTP Response
Code Unique Code Description
200 The requested list of QID records was retrieved.
500 1020 An error occurred during the attempt to retrieve the
list of QID records.

Response Description

A list of QID records. A QID record contains the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data
structure consistency among endpoints.

Response Sample
[
{
"id": 64280,
"qid": 2500283,
"name": "DELETED WEB-MISC OReilly args.bat access",
"description": "DELETED WEB-MISC OReilly args.bat access",
"severity": 2 ,
"low_level_category_id": 1011,
"log_source_type_id": null
},
{
"id": 64297,
"qid": 2500300,
"name": "DELETED WEB-MISC Cisco Web DOS attempt",
"description": "DELETED WEB-MISC Cisco Web DOS attempt",
"severity": 8,
"low_level_category_id": 2009
"log_source_type_id": null
}
]

POST /data_classification/qid_records
Creates a new QID record.

Creates a new QID record.

Table 544. POST /data_classification/qid_records resource details
MIME Type
application/json

298 QRadar API Reference Guide

Table 545. POST /data_classification/qid_records request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 546. POST /data_classification/qid_records request body details

MIME
Parameter Data Type Type Description Sample
data Object application/ Required - A QID { "log_source_type_id": 199, "name":
json record containing the "spp_portscan: Portscan Detected",
following fields: "description": "spp_portscan:
v log_source_type_id - Portscan Detected", "severity": 4,
Required - Number - "low_level_category_id":1008 }
The ID of the log
source type which
the QID record is
created for.
v name - Required -
String - The name of
the QID record.
v description -
Optional - String -
The description of
the QID record.
v severity - Optional -
Number - The
severity of the QID
record. If not
provided, the
severity of the
corresponding low
level category is used
as the default value.
v
low_level_category_id
- Required - Number -
The low level category
ID of the QID record.

Table 547. POST /data_classification/qid_records response codes

HTTP Response
Code Unique Code Description
201 The new QID record was created.
422 1005 Invalid parameter value provided for the new QID
record.
500 1020 An error occurred during the attempt to create a
new QID record.

Chapter 6. REST API V8.0 References 299

 Response Description

The newly created QID record containing the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data
structure consistency among endpoints.

Response Sample
{
"id": 63998,
"qid": 2500001,
"name": "spp_portscan: Portscan Detected",
"description": "spp_portscan: Portscan Detected",
"severity": 4,
"low_level_category_id": 1008,
"log_source_type_id": null
}

GET /data_classification/qid_records/{qid_record_id}
Retrieves a QID record that is based on the supplied qid_record_id.

Retrieves a QID record that is based on the supplied qid_record_id.

Table 548. GET /data_classification/qid_records/{qid_record_id} resource details
MIME Type
application/json

Table 549. GET /data_classification/qid_records/{qid_record_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
qid_record_id path Required Number text/plain Required - the ID of
(Integer) the QID record.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get
back in the response.
Fields that are not
named are excluded.
Specify subfields in
brackets and multiple
fields in the same
object are separated
by commas.

300 QRadar API Reference Guide

 Table 550. GET /data_classification/qid_records/{qid_record_id} response codes
HTTP Response
Code Unique Code Description
200 The requested QID record was retrieved.
404 1002 The requested QID record was not found.
422 1005 qid_record_id must be a positive integer.
500 1020 An error occurred during the attempt to retrieve the
QID record.

Response Description

A QID record containing the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data
structure consistency among endpoints.

Response Sample
{
"id": 63998,
"qid": 2500001,
"name": "spp_portscan: Portscan Detected",
"description": "spp_portscan: Portscan Detected",
"severity": 4,
"low_level_category_id": 1008,
"log_source_type_id": null
}

POST /data_classification/qid_records/{qid_record_id}
Updates an existing QID record.

Updates an existing QID record.

Table 551. POST /data_classification/qid_records/{qid_record_id} resource details
MIME Type
application/json

Table 552. POST /data_classification/qid_records/{qid_record_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
qid_record_id path Required Number text/plain Required - The ID of
(Integer) the QID record.

Chapter 6. REST API V8.0 References 301

 Table 552. POST /data_classification/qid_records/{qid_record_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get
back in the response.
Fields that are not
named are excluded.
Specify subfields in
brackets and multiple
fields in the same
object are separated
by commas.

Table 553. POST /data_classification/qid_records/{qid_record_id} request body details

Parameter Data Type MIME Type Description Sample
qid_record Object application/ Required - The QID record to { "name": "spp_portscan: Portscan
json be updated, which may contain Detected", "description":
the following fields: "spp_portscan: Portscan Detected",
v name - Optional - String - "severity": 4,
The name of the QID record. "low_level_category_id":1008 }

v description - Optional -
String - The description of
the QID record.
v severity - Optional - Number
- The severity of the QID
record.
v low_level_category_id -
Optional - Number - The low
level category ID of the QID
record.

Table 554. POST /data_classification/qid_records/{qid_record_id} response codes

HTTP Response
Code Unique Code Description
200 The QID record was updated.
404 1002 The requested QID record was not found.
409 1008 The QID record that was provided cannot be
updated because it is a system-provided QID.
422 1005 Invalid parameter was provided during the update
to the QID record.
500 1020 An error occurred during the attempt to update a
QID record.

Response Description

The updated QID record containing the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.

302 QRadar API Reference Guide

 v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data
structure consistency among endpoints.

Response Sample
{
"id": 63998,
"qid": 2500001,
"name": "spp_portscan: Portscan Detected",
"description": "spp_portscan: Portscan Detected",
"severity": 4,
"low_level_category_id": 1008,
"log_source_type_id": null
}

Forensics endpoints
Use the references for REST API V8.0 forensics endpoints.

GET /forensics/capture/recoveries
Retrieves a list of capture recoveries.

Retrieves a list of recoveries.

Table 555. GET /forensics/capture/recoveries resource details
MIME Type
application/json

Table 556. GET /forensics/capture/recoveries request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 6. REST API V8.0 References 303

 Table 556. GET /forensics/capture/recoveries request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 557. GET /forensics/capture/recoveries response codes

HTTP Response
Code Unique Code Description
200 The Workflow Recovery Jobs were retrieved.
500 1020 An error occurred while the recovery job list was
being retrieved.

Response Description

A list of recoveries. A recovery contains the following fields:

v assigned_to - String - The username of the user the recovery is assigned to.
v bpf - String - The Berkeley Packet Filter to pass to the capture device.
v case_id - String - ID of the case where the collection(s) are created.
v collection_name_suffix - String - Suffix that is used to name the collection(s) to
store the recovered data in.
v id - Long - ID for the recovery.
v recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this
recovery.
v recovery_window_end_time - Long - End of time range for data recovery.
v recovery_window_start_time - Long - Start of time range for data recovery.
v tags - String - Identifiers applied to recovered data to assist with grouping when
searching. These are user supplied string identifiers that are used to mark the
data so the user can easily look up the data later.

Response Sample
[
{
"assigned_to": "String",
"bpf": "String",
"case_id": 42,
"collection_name_suffix": "String",
"id": 42,
"recovery_task_ids": [
42
],
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [
"String"

304 QRadar API Reference Guide

 ],
"tags": [
"String"
]
}
]

POST /forensics/capture/recoveries
Creates a new capture recovery.

Creates a new recovery.

Table 558. POST /forensics/capture/recoveries resource details
MIME Type
application/json

Table 559. POST /forensics/capture/recoveries request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 560. POST /forensics/capture/recoveries request body details

MIME
Parameter Data Type Type Description Sample
recovery Object application/null { "assigned_to": "String", "bpf": "String",
json "case_id": 42, "collection_name_suffix":
"String", "recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [ "String" ], "tags": [ "String"
]}

Table 561. POST /forensics/capture/recoveries response codes

HTTP Response
Code Unique Code Description
201 The workflow recovery job was created.
403 1009 The user or targeted user does not have the
capability to perform this request.
409 1000 null
422 1005 A request parameter is not valid.
500 1020 An error occurred during the creation of the
recovery job.

Chapter 6. REST API V8.0 References 305

 Response Description

The newly created recovery that contains the following fields:

v assigned_to - String - The username of the user the recovery is assigned to. If
not supplied the recovery will be assigned to the user making the request.
Requires a valid user with Forensics role. Not an authorized service.
v bpf - String - The Berkeley Packet Filter to pass to the capture device. A
simplified Berkley Packet Filter expression to pass to the capture device to apply
when recovering network data. Maximum length is 250 characters
v case_id - String - ID of the case where the collection(s) are created.
v collection_name_suffix - String - Suffix that is used to name the collection(s) to
store the recovered data in. Collection name(s) for recovery tasks are derived
from this value and capture devices where network data originates as a recovery
task is created for each device. (e.g. A collection name suffix of "mycollection"
and data recovered from capture device IP "10.0.0.2" results in a collection that is
named "10.0.0.2_mycollection"). NOTE: If the collection name already exists in
the case the existing collection is deleted. Maximum length is 100 characters.
Alphanumeric and period characters are permitted only.
v id - Long - ID for the recovery.
v recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this
recovery.
v recovery_window_end_time - Long - End of time range for data recovery.
v recovery_window_start_time - Long - Start of time range for data recovery.
v tags - String - Identifiers applied to recovered data to assist with grouping when
searching. These are user supplied string identifiers that are used to mark the
data so the user can easily look up the data later. Maximum length 255
alphanumeric characters (all values converted to space separated string)

Response Sample
{
"assigned_to": "String",
"bpf": "String",
"case_id": 42,
"collection_name_suffix": "String",
"id": 42,
"recovery_task_ids": [
42
],
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [
"String"
],
"tags": [
"String"
]
}

GET /forensics/capture/recoveries/{id}
Retrieves a recovery based on the supplied ID.

Retrieves a recovery based on the supplied ID.

306 QRadar API Reference Guide

Table 562. GET /forensics/capture/recoveries/{id} resource details
MIME Type
application/json

Table 563. GET /forensics/capture/recoveries/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain Required - The ID of
(Integer) the workflow job to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 564. GET /forensics/capture/recoveries/{id} response codes

HTTP Response
Code Unique Code Description
404 1002 No recovery job was found for the provided ID.
500 1020 An error occurred during the retrieval of the
recovery job.

Response Description
A recovery that contains the following fields:
v assigned_to - String - The username of the user the recovery is assigned to.
v bpf - String - The Berkeley Packet Filter to pass to the capture device.
v case_id - String - ID of the case where the collection(s) are created.
v collection_name_suffix - String - Suffix that is used to name the collection(s) to
store the recovered data in.
v id - Long - ID for the recovery.
v recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this
recovery.
v recovery_window_end_time - Long - End of time range for data recovery.
v recovery_window_start_time - Long - Start of time range for data recovery.
v tags - String - Identifiers applied to recovered data to assist with grouping when
searching. These are user supplied string identifiers that are used to mark the
data so the user can easily look up the data later.

Response Sample
{
"assigned_to": "String",
"bpf": "String",
"case_id": 42,

Chapter 6. REST API V8.0 References 307

 "collection_name_suffix": "String",
"id": 42,
"recovery_task_ids": [
42
],
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [
"String"
],
"tags": [
"String"
]
}

GET /forensics/capture/recovery_tasks
Retrieves a list of recovery tasks.

Retrieves a list of recovery tasks.

Table 565. GET /forensics/capture/recovery_tasks resource details
MIME Type
application/json

Table 566. GET /forensics/capture/recovery_tasks request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 567. GET /forensics/capture/recovery_tasks response codes

HTTP Response
Code Unique Code Description
200 The workflow recovery job tasks were retrieved.

308 QRadar API Reference Guide

Table 567. GET /forensics/capture/recovery_tasks response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred while the recovery job task list
was being retrieved.

Response Description
A list of recovery tasks. A recovery task contains the following fields:
v assigned_to - String - The username of the user the recovery task is assigned to.
v bpf - String - Berkeley Packet Filter sent to capture device when recovering.
v capture_device_id - String - Capture device where this task collected its data.
The IP address of the capture device at time of recovery.
v case_id - String - ID of case where the collection is created.
v collection_name - String - Name of collection where recovered data is stored.
Derived from device recovery collection name suffix. NOTE: This is used as part
of the collection_name to uniquely identify and index the data at time of
recovery and is not updated if the capture device IP address is changed.
v id - Long - ID for the recovery task.
v managed_host_hostname - String - The managed host the recovery task is
running on.
v recovery_id - Long - ID of the recovery this task belongs to.
v recovery_window_end_time - Long - End of time range for data recovery
window sent to capture device. Data recovered is from before this time.
v recovery_window_start_time - Long - Start of time range for data recovery
window sent to capture device. Data recovered is from after this time.
v status - String - Current status of this task. Possible values are:
CANCELED - Recovery from capture device canceled. Any documents
recovered before cancellation remain in the system.
CANCELLING - Recovery from capture device in process of cancellation
FAILED - Something went wrong with the recovery.
IN_PROGRESS - The capture device is processing the recovery.
NEW - The recovery task was created and is waiting to be picked up by the
system.
PENDING - The recovery task was picked up by the system and is waiting
for the capture device to start processing the recovery.
SUCCESS - Recovery from capture device successfully completed
v tags - String Array - Identifiers that are applied to recovered data to assist with
grouping when searching. These are user-supplied string identifiers that are
used to mark the data so the user can easily look up the data later.
v task_end_time - Long - Timestamp the recovery task completed.
v task_start_time - Long - Timestamp the recovery task started.

Response Sample
[
{
"assignee": "String",
"bpf": "String",
"capture_device_ip": "String",
"case_id": 42,

Chapter 6. REST API V8.0 References 309

 "collection_name": "String",
"id": 42,
"managed_host_hostname": "String",
"recovery_id": 42,
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"status": "String <one of: CANCELED,
CANCELING,
FAILED,
IN_PROGRESS,
NEW,
PENDING,
SUCCESS>",
"tags": [
"String"
],
"task_end_time": 42,
"task_start_time": 42
}
]

GET /forensics/capture/recovery_tasks/{id}
Retrieves a recovery task based on the supplied ID.

Retrieves a recovery task based on the supplied ID.

Table 568. GET /forensics/capture/recovery_tasks/{id} resource details
MIME Type
application/json

Table 569. GET /forensics/capture/recovery_tasks/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain Required - The ID of
(Integer) the workflow job to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 570. GET /forensics/capture/recovery_tasks/{id} response codes

HTTP Response
Code Unique Code Description
200 The Workflow Recovery Job was retrieved.
404 1002 No recovery job was found for the provided ID.
500 1020 An error occurred while the recovery job was being
retrieved.

310 QRadar API Reference Guide

Response Description

A recovery task containing the following fields:

v assigned_to - String - The username of the user the recovery task is assigned to.
v bpf - String - Berkeley Packet Filter sent to capture device when recovering.
v capture_device_id - String - Capture device where this task collected its data.
The IP address of the capture device at time of recovery.
v case_id - String - Id of case where the collection is created.
v collection_name - String - Name of collection where recovered data is stored.
Derived from device recovery collection name suffix. NOTE: This is used as part
of the collection_name to uniquely identify and index the data at time of
recovery and is not updated if the capture device ip address is changed.
v id - Long - ID for the recovery task.
v managed_host_hostname - String - The managed host where the recovery task
runs.
v recovery_id - Long - ID of the recovery this task belongs to.
v recovery_window_end_time - Long - End of time range for data recovery
window sent to capture device. Data recovered is from before this time.
v recovery_window_start_time - Long - Start of time range for data recovery
window sent to capture device. Data recovered is from after this time.
v status - String - Current status of this task. Possible values are:
CANCELED - Recovery from capture device canceled. Any documents
recovered before cancellation remain in the system.
CANCELLING - Recovery from capture device in process of cancellation.
FAILED - Something went wrong with the recovery.
IN_PROGRESS - The capture device is processing the recovery.
NEW - The recovery task was created and is waiting to be picked up by the
system.
PENDING - The recovery task was picked up by the system and is waiting
for the capture device to start processing the recovery.
SUCCESS - Recovery from capture device successfully completed
v tags - String Array - Identifiers that are applied to recovered data to assist with
grouping when searching. These are user-supplied string identifiers that are
used to mark the data so the user can easily look up the data later.
v task_end_time - Long - Timestamp the recovery task completed.
v task_start_time - Long - Timestamp the recovery task started.

Response Sample
{
"assignee": "String",
"bpf": "String",
"capture_device_ip": "String",
"case_id": 42,
"collection_name": "String",
"id": 42,
"managed_host_hostname": "String",
"recovery_id": 42,
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"status": "String <one of: CANCELED,
CANCELING,
FAILED,
IN_PROGRESS,

Chapter 6. REST API V8.0 References 311

 NEW,
PENDING,
SUCCESS>",
"tags": [
"String"
],
"task_end_time": 42,
"task_start_time": 42
}

GET /forensics/case_management/case_create_tasks/{id}
Retrieves a case create task based on the supplied id.

Retrieves a case create task based on the supplied id.

Table 571. GET /forensics/case_management/case_create_tasks/{id} resource details
MIME Type
application/json

Table 572. GET /forensics/case_management/case_create_tasks/{id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain Required - The id of
(Integer) the case create task to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 573. GET /forensics/case_management/case_create_tasks/{id} response codes

HTTP Response
Code Unique Code Description
200 The case create task was retrieved.
404 1002 No case create task was found for the provided ID.
500 1020 An error occurred during the retrieval of the case
create task.

Response Description

A case create task containing the following fields:

v assigned_to - String Array - Usernames of users to give access to the case once it
is created. Users must have the FORENSICS role. Authorized services are not
allowed.
v case_id - Long - ID for the created case .

312 QRadar API Reference Guide

 v case_name - String - Name to give the created case.
v id - Long - ID for the case create task.
v status - String - Possible values are:
COMPLETE - The case has been created across all managed hosts.
PARTIALLY_COMPLETE - The case was created on at least one managed
host, but not all of them. The case is considered to be usable, but functionality
might be limited. This usually means one or more managed hosts are down
and the case is not created yet. The task completes after all offending
managed hosts either complete the task, or are removed from the
deployment.
PROCESSING - The task has been picked up by QRadar and is actively
being processed. Cases are being created on the managed hosts.
WAITING - The task is waiting for its time to be processed. Nothing is being
done at this time.

Response Sample
{
"assigned_to": [
"String"
],
"case_id": 42,
"id": 42,
"name": "String",
"state": "String <one of: COMPLETE,
PARTIALLY_COMPLETE,
PROCESSING,
WAITING>"
}

GET /forensics/case_management/cases
Retrieves a list of cases.

Retrieves a list of cases.

Table 574. GET /forensics/case_management/cases resource details
MIME Type
application/json

Table 575. GET /forensics/case_management/cases request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 6. REST API V8.0 References 313

 Table 575. GET /forensics/case_management/cases request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 576. GET /forensics/case_management/cases response codes

HTTP Response
Code Unique Code Description
200 The cases were retrieved.
500 1020 An error occurred during the retrieval of the case
list.

Response Description

A list of cases. A case contains the following fields:

v assigned_to - String Array - Usernames of the users who have access to the case.
Users must have the FORENSICS role. Authorized services are not allowed.
v id - Long - ID for the case.
v name - String - The name of the case.

Response Sample
[
{
"assigned_to": [
"String"
],
"id": 42,
"name": "String"
}
]

POST /forensics/case_management/cases
Creates a new case.

Creates a new case.

Table 577. POST /forensics/case_management/cases resource details
MIME Type
application/json

314 QRadar API Reference Guide

Table 578. POST /forensics/case_management/cases request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 579. POST /forensics/case_management/cases request body details

MIME
Parameter Data Type Type Description Sample
case Object application/ null { "assigned_to": [
json "String" ], "name":
"String" }

Table 580. POST /forensics/case_management/cases response codes

HTTP Response
Code Unique Code Description
201 The case was created.
403 1009 The user or targeted user does not have the
capability to perform this request.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the creation of the case.

Response Description

The case create status contains the following fields:

v assigned_to - String Array - Usernames of users to give access to the case once it
is created. Users must have the FORENSICS role. Authorized services are not
allowed. If the case is not assign to anyone, it is assigned to the creator if they
are a user (not authorized service). Otherwise, it is only accessible by an
administrator. NOTE: During creation the assigned_to list can contain at most
one username.
v case_id - Long - ID for the created case.
v case_name - String - Name to give the created case. The case name must include
alphanumeric characters only, and be 1-15 characters long with no spaces. Case
names are unique.
v id - Long - ID for the case create task.
v status - String - Possible values are:
COMPLETE - The case has been created across all managed hosts.
PARTIALLY_COMPLETE - The case has been created on at least one
managed host, but not all of them. The case is considered to be usable, but
functionality might be limited. This usually means one or more managed

Chapter 6. REST API V8.0 References 315

 hosts are down and the case is not created yet. The task completes after all
offending managed hosts either complete the task or are removed from the
deployment.
PROCESSING - The task was picked up by QRadar and is actively being
processed. Cases are being created on the managed hosts.
WAITING - The task is waiting for its time to be processed. Nothing is being
done at this time.

Response Sample
{
"assigned_to": [
"String"
],
"case_id": 42,
"id": 42,
"name": "String",
"state": "String <one of: COMPLETE,
PARTIALLY_COMPLETE,
PROCESSING,
WAITING>"
}

GET /forensics/case_management/cases/{id}
Retrieves a case based on the supplied id.

Retrieves a case based on the supplied ID.

Table 581. GET /forensics/case_management/cases/{id} resource details
MIME Type
application/json

Table 582. GET /forensics/case_management/cases/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain Required - The ID of
(Integer) the workflow job to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 583. GET /forensics/case_management/cases/{id} response codes

HTTP Response
Code Unique Code Description
404 1002 No case was found for the provided ID.
500 1020 An error occurred during the retrieval of the case.

316 QRadar API Reference Guide

 Response Description

A case that contains the following fields:

v assigned_to - String Array - Usernames of the users who have access to the case.
Users must have the FORENSICS role. Authorized services are not allowed.
v id - Long - ID for the case.
v name - String - The name of the case.

Response Sample
{
"assigned_to": [
"String"
],
"id": 42,
"name": "String"
}

GUI application framework endpoints

Use the references for REST API V8.0 GUI application framework endpoints.

GET /gui_app_framework/application_creation_task
Retrieve status details.

Retrieve a list of status details of all asynchronous requests to create applications.

Table 584. GET /gui_app_framework/application_creation_task resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 585. GET /gui_app_framework/application_creation_task response codes
HTTP Response
Code Unique Code Description
200 Application Creation Request list was retrieved.
500 1020 An error occurred while attempting to retrieve the
list of status details.

Response Description

The details of the requests to create applications.

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,

Chapter 6. REST API V8.0 References 317

 ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

POST /gui_app_framework/application_creation_task
Creates a new application within the Application framework.

Create a new application within the Application framework, and register it with
QRadar. The application is created asynchronously. A reference to the
application_id is returned and should be used in subsequent API calls to determine
the status of the application installation.
Table 586. POST /gui_app_framework/application_creation_task resource details
MIME Type
application/json

Table 587. POST /gui_app_framework/application_creation_task request body details

Parameter Data Type MIME Type Description Sample

package zip application/zip A zip file, that contains null

custom code, and a
application manifest JSON file
descriptor

Table 588. POST /gui_app_framework/application_creation_task response codes

HTTP Response
Code Unique Code Description
201 The application was installed and registered
successfully.

409 1008 An application with that UUID is already installed.

Only an upgrade or delete can be performed in this
state.
422 1005 The provided application is invalid. See messages
for further details.
500 1020 The application could not be created.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,

318 QRadar API Reference Guide

 ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

GET /gui_app_framework/application_creation_task/
{application_id}
Retrieve a list of status details of a asynchronous request to create application.
Table 589. GET /gui_app_framework/application_creation_task/{application_id} resource
details
MIME Type
application/json

Table 590. GET /gui_app_framework/application_creation_task/{application_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - Get the status
(Integer) details of this application
defined by application_id
returned by the initial
POST on
application_creation_task.

Table 591. GET /gui_app_framework/application_creation_task/{application_id} response

codes
HTTP Response
Code Unique Code Description
200 Application Creation Request list was retrieved.
404 1002 The application_id is invalid or could not be found.
500 1020 An error occurred while attempting to retrieve the
list of status details.

Response Description

The details of the request to create application.

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [

Chapter 6. REST API V8.0 References 319

 {
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

POST /gui_app_framework/application_creation_task/
{application_id}
Cancel a new application install within the Application framework.

Use this endpoint to cancel a new application install within the Application
framework. The application_id and a status are required.
Table 592. POST /gui_app_framework/application_creation_task/{application_id} resource
details
MIME Type
application/json

Table 593. POST /gui_app_framework/application_creation_task/{application_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The
(Integer) application_id to cancel
installing.
status query Required String text/plain Required - The status to
update the application
install to. Currently only
CANCELLED is
supported

Table 594. POST /gui_app_framework/application_creation_task/{application_id} response

codes
HTTP Response
Code Unique Code Description
200 The application installation was canceled and
unregistered successfully.
404 1002 The application_id is invalid or could not be found.
422 1005 The status is not valid.
500 1020 An error occurred when attempting to update the
Application request state.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",

320 QRadar API Reference Guide

 "status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

GET /gui_app_framework/applications
Retrieve list of applications

Retrieve a list of applications that are installed on the console, with their manifest
json structures and current status.
Table 595. GET /gui_app_framework/applications resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 596. GET /gui_app_framework/applications response codes
HTTP Response
Code Unique Code Description
200 The database list was retrieved.
500 1020 An error occurred while attempting to retrieve the
list of applications.

Response Description

The list of applications.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

Chapter 6. REST API V8.0 References 321

 "areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy of
most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [

322 QRadar API Reference Guide

 {
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

GET /gui_app_framework/applications/{application_id}
Retrieve specific application

Retrieve a specific application installed on the console with manifest json structure
and current status.

Chapter 6. REST API V8.0 References 323

 Table 597. GET /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 598. GET /gui_app_framework/applications/{application_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - Get specific
(Integer) installed application
defined by application_id
returned by the initial
POST on
application_creation_task.

Table 599. GET /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
200 The application was retrieved.
404 1002 The application_id is invalid or could not be found.
500 1020 An error occurred while attempting to retrieve the
application.

Response Description

The specific application.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{

324 QRadar API Reference Guide

 "text":"Sample Item",
"description":"Sample dashboard item that is a copy of
most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",

Chapter 6. REST API V8.0 References 325

 "icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

POST /gui_app_framework/applications/{application_id}
Update an Application

Start or stop an application by setting status to RUNNING or STOPPED

respectively.
Table 600. POST /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

326 QRadar API Reference Guide

Table 601. POST /gui_app_framework/applications/{application_id} request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - The
(Integer) applicationId of the
application to
update.
status query Required String text/plain Required - The
status of the
application to set to
RUNNING or
STOPPED.

Table 602. POST /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
200 The application has been successfully updated
404 1002 The application_id does not exist.
409 1008 The application is locked by another process.
422 1005 The application status is not valid.
500 1020 An error occurred while attempting to update the
application.

Response Description

Application structure including application status.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

Chapter 6. REST API V8.0 References 327

 "dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy
of most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{

328 QRadar API Reference Guide

 "id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

PUT /gui_app_framework/applications/{application_id}
Upgrade an application.

Upgrade an application.
Table 603. PUT /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 604. PUT /gui_app_framework/applications/{application_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain null
(Integer)

Chapter 6. REST API V8.0 References 329

 Table 605. PUT /gui_app_framework/applications/{application_id} request body details
Parameter Data Type MIME Type Description Sample
package zip application/zip A zip file, that contains null
custom code, and a
application manifest
JSON file descriptor

Table 606. PUT /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
202 The request for an application upgrade was
accepted.
404 1002 The application_id is invalid or could not be found.
409 1008 The application is locked by another process.
422 1005 The provided application is invalid. See messages
for further details.
500 1020 The application could not be created.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

DELETE /gui_app_framework/applications/{application_id}
Delete an Application.
Table 607. DELETE /gui_app_framework/applications/{application_id} resource details
MIME Type
text/plain

330 QRadar API Reference Guide

 Table 608. DELETE /gui_app_framework/applications/{application_id} request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - The
(Integer) applicationId of the
application to delete.

Table 609. DELETE /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
204 The application has been successfully unregistered.
404 1002 The application_id does not exist.
409 1008 The application is locked by another process.
500 1020 An error occurred while attempting to delete the
application.

Response Description
Successful response code 204 No content.

Response Sample

GET /gui_app_framework/named_services
Retrieves all named services.

Retrieves a list of all named services registered with the Application Framework.

By using the returned information, the caller can determine what services are
available and what facilities each service provides via its REST endpoints.
Table 610. GET /gui_app_framework/named_services resource details
MIME Type
application/json

There are no parameters for this endpoint.

Response Description
Table 611. GET /gui_app_framework/named_services response codes
HTTP Response
Code Unique Code Description
200 The list of named services was returned.
500 1020 An error occurred while trying to retrieve the list of
named services.

A list of named services. The documentation for /named_services/{uuid} has a

description of the details returned for a named service instance.

Chapter 6. REST API V8.0 References 331

 Response Sample
[{
"name": "resourceservice",
"version": "1",
"application_id": 1001,
"uuid": "e4081cd1-c3c8-4089-afc7-c32039bd796c",
"endpoints": [
{
"name": "getResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource/{resource_id}",
"http_method": "GET",
"parameters": [
{ "location": "PATH", "name": "resource_id" }
],
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
},
{
"name": "createResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource",
"http_method": "POST",
"request_mime_type": "application/json+ld",
"request_body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
},
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
},
{
"name": "updateResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource/{resource_id}",
"http_method": "PUT",
"request_mime_type": "application/json+ld",
"request_body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
},
"parameters": [
{ "location": "PATH", "name": "resource_id" }
],
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",

332 QRadar API Reference Guide

 "resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
}
]
}]

GET /gui_app_framework/named_services/{uuid}
Retrieves a named service.

Retrieves a named service registered with the Application Framework by using the
supplied uuid.
Table 612. GET /gui_app_framework/named_services/{uuid} resource details
MIME Type
application/json

Table 613. GET /gui_app_framework/named_services/{uuid} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
uuid path Required String text/plain Required - A named
service uuid.

Response Description
Table 614. GET /gui_app_framework/named_services/{uuid} response codes
HTTP Response
Code Unique Code Description
200 The requested named service was returned.
404 1002 The requested named service could not be found.
500 1020 An error occurred while trying to retrieve the
requested named service.

The details of a named service:

v name - String - Service name.
v version - String - Service version.
v application_id - Integer - ID of the application that implements this service.
v uuid - Integer - Unique identifier for this service.
v endpoints - Array - List of endpoints provided by this service.
name - String - Endpoint name.
path - String - Endpoint URL.
http_method - String - One of GET/POST/PUT/DELETE.
request_mime_type - String - MIME type of request body.
request_body_type - Object - JSON definition of request body.
parameters - Array - List of request parameters.
- location - String - Where the parameter goes in the request. One of
PATH/QUERY/BODY.
name - String - Parameter name.

Chapter 6. REST API V8.0 References 333

 definition - String - Parameter definition, e.g. "String".
response - Object - Response definition.
- mime_type - String - MIME type of response body.
- body_type - Object - JSON definition of response body.
error_mime_type - String - MIME type of response body when an error
occurs.

Response Sample
{
"name": "resourceservice",
"version": "1",
"application_id": 1001,
"uuid": "e4081cd1-c3c8-4089-afc7-c32039bd796c",
"endpoints": [
{
"name": "getResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource/{resource_id}",
"http_method": "GET",
"parameters": [
{ "location": "PATH", "name": "resource_id" }
],
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
},
{
"name": "createResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource",
"http_method": "POST",
"request_mime_type": "application/json+ld",
"request_body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
},
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
},
{
"name": "updateResource",
"path": "https://1.1.1.1/console/plugins/1001/
app_proxy:resourceservice/resource/{resource_id}",
"http_method": "PUT",
"request_mime_type": "application/json+ld",
"request_body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_name": "http://id.ibm.com/resourceName",

334 QRadar API Reference Guide

 "resource_owner": "http://id.ibm.com/personId"
},
"parameters": [
{ "location": "PATH", "name": "resource_id" }
],
"response": {
"mime_type": "application/json+ld",
"body_type": {
"@type": "http://id.ibm.com/Resource",
"resource_id": "http://id.ibm.com/resourceID",
"resource_name": "http://id.ibm.com/resourceName",
"resource_owner": "http://id.ibm.com/personId"
}
},
"error_mime_type": "text/plain"
}
]
}

Help endpoints
Use the references for REST API V8.0 Help endpoints.

GET /help/endpoints
Retrieves a list of endpoint documentation objects that are currently in the system.

Retrieves a list of endpoint documentation objects that are currently in the system.
Table 615. GET /help/endpoints resource details
MIME Type
application/json

Table 616. GET /help/endpoints request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 335

 Table 616. GET /help/endpoints request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 617. GET /help/endpoints response codes

HTTP Response
Code Unique Code Description
200 The endpoint documentation list was retrieved.
500 1020 An unexpected error has occurred.

Response Description

An array of endpoint documentation objects. An endpoint documentation object

contains the following fields:
v id - Number - The ID of the endpoint documentation. This ID is not permanent.
It might change any time services are restarted.
v summary - String - A brief summary of the endpoint.
v deprecated - Boolean - Returns true if the endpoint is deprecated. Returns false
otherwise.
v http_method - String - The HTTP request type. One of OPTIONS, GET, HEAD,
POST, PUT, DELETE, TRACE, CONNECT, PATCH.
v error_responses - Array of Objects - A list of potential error responses of this
endpoint.
v error_responses(response_code) - Number - The HTTP code for this error
response.
v error_responses(description) - String - The description for this error response.
v error_responses(unique_code) - Number - The unique code for this error
response.
v error_responses(response_code_description) - String - The description of the
response.
v response_description - String - The description of the response.
v version - String - The version of this endpoint.
v success_responses - Array of Objects - A list of potential success responses for
this endpoint.
v success_responses(response_code) - Number - The HTTP code for this response.
v success_responses(description) - String - The description of this response.
v success_responses(response_code_description) - String - The name for the
response code from RFC 2616.
v description - String - A description of this endpoint.
v path - String - The path of this endpoint.
v response_mime_types - Array of Objects - A list of possible response MIME
types for this endpoint.

336 QRadar API Reference Guide

v response_mime_types(mime_type) - String - The MIME type.
v response_mime_types(sample) - String - The sample of this response MIME
type.
v parameters - Array of Objects - A list of user parameters for this endpoint.
v parameters(description) - String - A description of this parameter.
v parameters(default_value) - String - The default value of this parameter. Null if
there is no default value for this parameter. This is always a String, regardless of
the underlying data type of the parameter.
v parameters(type) - String - The type of parameter, one of QUERY, HEADER,
PATH, BODY.
v parameters(parameter_name) - String - The name of this parameter.
v parameters(mime_types) - Array of Objects - A list of possible mime_types for
this parameter.
v parameters(mime_types(data_type)) - String - A description of the data type of
this parameter.
v parameters(mime_types(mime_type)) - String - The MIME type of the
parameter.
v parameters(mime_types(sample)) - String - The sample for this parameter.
v resource_id - Number - The ID of the associated resource.
v last_modified_version - String - The API version this endpoint was last
modified. It is less than or equal to the version in the version field.
v caller_has_access - Boolean - True if the user has the required capabilities to call
this endpoint, false otherwise.

Response Sample
[
{
"caller_has_access": true,
"deprecated": true,
"description": "String",
"error_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String",
"unique_code": 42
}
],
"http_method": "String <one of: OPTIONS,
GET,
HEAD,
POST,
PUT,
DELETE,
TRACE,
CONNECT,
PATCH>",
"id": 42,
"last_modified_version": "String",
"parameters": [
{
"default_value": "String",
"description": "String",
"mime_types": [
{
"data_type": "String",
"mime_type": "String",
"sample": "String"

Chapter 6. REST API V8.0 References 337

 }
],
"parameter_name": "String",
"type": "String <one of: QUERY,
HEADER,
PATH,
BODY>"
}
],
"path": "String",
"resource_id": 42,
"response_description": "String",
"response_mime_types": [
{
"mime_type": "String",
"sample": "String"
}
],
"success_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String"
}
],
"summary": "String",
"version": "String"
}
]

GET /help/endpoints/{endpoint_id}
Retrieves a single endpoint documentation object.

Retrieves a single endpoint documentation object.

Table 618. GET /help/endpoints/{endpoint_id} resource details
MIME Type
application/json

Table 619. GET /help/endpoints/{endpoint_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
endpoint_id path Required Number text/plain The endpoint id.
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

338 QRadar API Reference Guide

Table 620. GET /help/endpoints/{endpoint_id} response codes
HTTP Response
Code Unique Code Description
200 The endpoint documentation object was retrieved.
404 1002 No endpoint documentation object was found for
the provided endpoint id.
500 1020 An unexpected error has occurred.

Response Description

An endpoint documentation object. An endpoint documentation object contains the

following fields:
v id - Number - The ID of the endpoint documentation. This ID is not permanent.
It might change any time services are restarted.
v summary - String - A brief summary of the endpoint.
v deprecated - Boolean - Returns true if the endpoint is deprecated. Returns false
otherwise.
v http_method - String - The HTTP request type. One of OPTIONS, GET, HEAD,
POST, PUT, DELETE, TRACE, CONNECT, PATCH.
v error_responses - Array of Objects - A list of potential error responses of this
endpoint.
v error_responses(response_code) - Number - The HTTP code for this error
response.
v error_responses(description) - String - The description for this error response.
v error_responses(unique_code) - Number - The unique code for this error
response.
v error_responses(response_code_description) - String - The description of the
response.
v response_description - String - The description of the response.
v version - String - The version of this endpoint.
v success_responses - Array of Objects - A list of potential success responses for
this endpoint.
v success_responses(response_code) - Number - The HTTP code for this response.
v success_responses(description) - String - The description of this response.
v success_responses(response_code_description) - String - The name for the
response code from RFC 2616.
v description - String - A description of this endpoint.
v path - String - The path of this endpoint.
v response_mime_types - Array of Objects - A list of possible response MIME
types for this endpoint.
v response_mime_types(mime_type) - String - The MIME type.
v response_mime_types(sample) - String - The sample of this response MIME
type.
v parameters - Array of Objects - A list of user parameters for this endpoint.
v parameters(description) - String - A description of this parameter.
v parameters(default_value) - String - The default value of this parameter. Null if
there is no default value for this parameter. This is always a String, regardless of
the underlying data type of the parameter.

Chapter 6. REST API V8.0 References 339

 v parameters(type) - String - The type of parameter, one of QUERY, HEADER,
PATH, BODY.
v parameters(parameter_name) - String - The name of this parameter.
v parameters(mime_types) - Array of Objects - A list of possible mime_types for
this parameter.
v parameters(mime_types(data_type)) - String - A description of the data type of
this parameter.
v parameters(mime_types(mime_type)) - String - The MIME type of the
parameter.
v parameters(mime_types(sample)) - String - The sample for this parameter.
v resource_id - Number - The ID of the associated resource.
v last_modified_version - String - The API version this endpoint was last
modified. It will be less than or equal to the version in the version field.
v caller_has_access - Boolean - Returns true if the user has the required
capabilities to call this endpoint. Returns false otherwise.

Response Sample
{
"caller_has_access": true,
"deprecated": true,
"description": "String",
"error_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String",
"unique_code": 42
}
],
"http_method": "String <one of: OPTIONS,
GET,
HEAD,
POST,
PUT,
DELETE,
TRACE,
CONNECT,
PATCH>",
"id": 42,
"last_modified_version": "String",
"parameters": [
{
"default_value": "String",
"description": "String",
"mime_types": [
{
"data_type": "String",
"mime_type": "String",
"sample": "String"
}
],
"parameter_name": "String",
"type": "String <one of: QUERY,
HEADER,
PATH,
BODY>"
}
],
"path": "String",
"resource_id": 42,
"response_description": "String",

340 QRadar API Reference Guide

 "response_mime_types": [
{
"mime_type": "String",
"sample": "String"
}
],
"success_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String"
}
],
"summary": "String",
"version": "String"
}

GET /help/resources
Retrieves a list of resource documentation objects currently in the system.

Retrieves a list of resource documentation objects currently in the system.

Table 621. GET /help/resources resource details
MIME Type
application/json

Table 622. GET /help/resources request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Chapter 6. REST API V8.0 References 341

 Table 623. GET /help/resources response codes
HTTP Response
Code Unique Code Description
200 The resource documentation list was retrieved.
500 1020 An unexpected error has occurred.

Response Description
An array of resource documentation objects. A resource documentation object
contains the following fields:
v id - Number - The ID of the resource documentation object. This ID is not
permanent. It might change any time services are restarted.
v child_resource_ids - Array of Numbers - A list of resource documentation IDs
that are the children of this resource.
v endpoint_ids - Array of Numbers - A list of endpoint documentation IDs for
endpoints on this resource.
v resource - String - The current resource.
v path - String - The full path of the current resource.
v parent_resource_id - Number - The resource documentation ID of the parent of
this resource. Null if this is a root resource.
v version - String - The version of this resource.

Response Sample
[
{
"child_resource_ids": [
42
],
"endpoint_ids": [
42
],
"id": 42,
"parent_resource_id": 42,
"path": "String",
"resource": "String",
"version": "String"
}
]

GET /help/resources/{resource_id}
Retrieves a single resource documentation object.

Retrieves a single resource documentation object.

Table 624. GET /help/resources/{resource_id} resource details
MIME Type
application/json

342 QRadar API Reference Guide

Table 625. GET /help/resources/{resource_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
resource_id path Required Number text/plain The resource id.
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 626. GET /help/resources/{resource_id} response codes

HTTP Response
Code Unique Code Description
200 The resource documentation object was retrieved.
404 1002 No resource documentation object was found for the
provided resource ID.
500 1020 An unexpected error has occurred.

Response Description

A resource documentation object. A resource documentation object contains the

following fields:
v id - Number - The ID of the resource documentation object. This ID is not
permanent. It might change any time services are restarted.
v child_resource_ids - Array of Numbers - A list of resource documentation IDs
that are the children of this resource.
v endpoint_ids - Array of Numbers - A list of endpoint documentation IDs for
endpoints on this resource.
v resource - String - The current resource.
v path - String - The full path of the current resource.
v parent_resource_id - Number - The resource documentation ID of the parent of
this resource. Null if this is a root resource.
v version - String - The version of this resource.

Response Sample
{
"child_resource_ids": [
42
],
"endpoint_ids": [
42
],
"id": 42,
"parent_resource_id": 42,

Chapter 6. REST API V8.0 References 343

 "path": "String",
"resource": "String",
"version": "String"
}

GET /help/versions
Retrieves a list of version documentation objects currently in the system.

Retrieves a list of version documentation objects currently in the system.

Table 627. GET /help/versions resource details
MIME Type
application/json

Table 628. GET /help/versions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 629. GET /help/versions response codes

HTTP Response
Code Unique Code Description
200 The version documentation list was retrieved.
500 1020 An unexpected error has occurred.

Response Description

An array of version documentation objects. A version documentation object

contains the following fields:

344 QRadar API Reference Guide

 v id - Number - The ID of the version documentation object. This ID is not
permanent. It might change any time services are restarted.
v deprecated - Boolean - Returns true if this version is deprecated. Returns false
otherwise.
v removed - Boolean - Returns true if this version is removed. Returns false
otherwise. Endpoints cannot be called from an API version that is removed.
v root_resource_ids - Array of Numbers - Resource IDs of the root resources in
this version of the API.
v version - String - The API version that this version documentation represents.

Response Sample
[
{
"deprecated": true,
"id": 42,
"removed": true,
"root_resource_ids": [
42
],
"version": "String"
}
]

GET /help/versions/{version_id}
Retrieves a single version documentation object.

Retrieves a single version documentation object.

Table 630. GET /help/versions/{version_id} resource details
MIME Type
application/json

Table 631. GET /help/versions/{version_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
version_id path Required Number text/plain The ID of the version
(Integer) documentation to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 632. GET /help/versions/{version_id} response codes

HTTP Response
Code Unique Code Description
200 The version documentation object was retrieved.

Chapter 6. REST API V8.0 References 345

 Table 632. GET /help/versions/{version_id} response codes (continued)
HTTP Response
Code Unique Code Description
404 1002 No version documentation object was found for the
provided version id.
500 1020 An unexpected error has occurred.

Response Description

A version documentation object. A version documentation object contains the

following fields:
v id - Number - The ID of the version documentation object. This ID is not
permanent. It might change any time services are restarted.
v deprecated - Boolean - Returns true if this version is deprecated. Returns false
otherwise.
v removed - Boolean - Returns true if this version is removed. Returns false
otherwise. Endpoints cannot be called with an API version that is removed.
v root_resource_ids - Array of Numbers - Resource IDs of the root resources in
this version of the API.
v version - String - The API version that this version documentation represents.

Response Sample
{
"deprecated": true,
"id": 42,
"removed": true,
"root_resource_ids": [
42
],
"version": "String"
}

IBM Security QRadar Risk Manager endpoints

Use the references for REST API V8.0 QRadar Risk Manager endpoints.

GET /qrm/model_groups
Retrieves a list of model groups.

Retrieves a list of model groups.

Table 633. GET /qrm/model_groups resource details
MIME Type
application/json

346 QRadar API Reference Guide

Table 634. GET /qrm/model_groups request parameter details
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 635. GET /qrm/model_groups response codes

HTTP Response
Code Unique Code Description
200 The model groups were retrieved.
500 1020 An error occurred during the attempt to retrieve the
model groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Chapter 6. REST API V8.0 References 347

 Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/model_groups/{group_id}
Retrieves a model group.

Retrieves a model group.

Table 636. GET /qrm/model_groups/{group_id} resource details
MIME Type
application/json

Table 637. GET /qrm/model_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

348 QRadar API Reference Guide

Table 638. GET /qrm/model_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
200 The model group was retrieved.
404 1002 The model group does not exist.
500 1020 An error occurred during the attempt to retrieve the
model group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Chapter 6. REST API V8.0 References 349

 POST /qrm/model_groups/{group_id}
Updates the owner of a model group.

Updates the owner of a model group.

Table 639. POST /qrm/model_groups/{group_id} resource details
MIME Type
application/json

Table 640. POST /qrm/model_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 641. POST /qrm/model_groups/{group_id} request body details

MIME
Parameter Data Type Type Description Sample
group Object application/ Required - Group object { "child_groups": [ 42 ], "child_items": [ "String"
json with the owner set to a ], "description": "String", "id": 42, "level": 42,
valid deployed user. "name": "String", "owner": "String", "parent_id":
42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Table 642. POST /qrm/model_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The model group was updated.
404 1002 The model group does not exist.
409 1004 The provided user does not have the required
capabilities to own the model group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
model group.

350 QRadar API Reference Guide

 Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/model_groups/{group_id}
Deletes a model group.

Deletes a model group.

Chapter 6. REST API V8.0 References 351

 Table 643. DELETE /qrm/model_groups/{group_id} resource details
MIME Type
text/plain

Table 644. DELETE /qrm/model_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Table 645. DELETE /qrm/model_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
204 The model group was deleted.
404 1002 The model group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
model group.

Response Description

Response Sample

GET /qrm/qrm_saved_search_groups
Retrieves a list of QRM saved search groups.

Retrieves a list of QRM saved search groups.

Table 646. GET /qrm/qrm_saved_search_groups resource details
MIME Type
application/json

Table 647. GET /qrm/qrm_saved_search_groups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

352 QRadar API Reference Guide

Table 647. GET /qrm/qrm_saved_search_groups request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 648. GET /qrm/qrm_saved_search_groups response codes

HTTP Response
Code Unique Code Description
200 The QRM saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the
QRM saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",

Chapter 6. REST API V8.0 References 353

 "parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/qrm_saved_search_groups/{group_id}
Retrieves a QRM saved search group.

Retrieves a QRM saved search group.

Table 649. GET /qrm/qrm_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 650. GET /qrm/qrm_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 651. GET /qrm/qrm_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The QRM saved search group was retrieved.
404 1002 The QRM saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the
QRM saved search group.

354 QRadar API Reference Guide

 Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/qrm_saved_search_groups/{group_id}
Updates the owner of a QRM saved search group.

Updates the owner of a QRM saved search group.

Table 652. POST /qrm/qrm_saved_search_groups/{group_id} resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 355

 Table 653. POST /qrm/qrm_saved_search_groups/{group_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 654. POST /qrm/qrm_saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/json Required - Group object { "child_groups": [ 42 ], "child_items": [ "String" ],
with the owner set to a "description": "String", "id": 42, "level": 42, "name":
valid deployed user. "String", "owner": "String", "parent_id": 42, "type":
"String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 655. POST /qrm/qrm_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The QRM saved search group was updated.
404 1002 The QRM saved search group does not exist.
409 1004 The provided user does not have the required
capabilities to own the QRM saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
QRM saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).

356 QRadar API Reference Guide

 v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/qrm_saved_search_groups/{group_id}
Deletes a QRM saved search group.

Deletes a QRM saved search group.

Table 656. DELETE /qrm/qrm_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 657. DELETE /qrm/qrm_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Table 658. DELETE /qrm/qrm_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
204 The QRM saved search group was deleted.

Chapter 6. REST API V8.0 References 357

 Table 658. DELETE /qrm/qrm_saved_search_groups/{group_id} response codes (continued)
HTTP Response
Code Unique Code Description
404 1002 The QRM saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
QRM saved search group.

Response Description

Response Sample

GET /qrm/question_groups
Retrieves a list of question groups.

Retrieves a list of question groups.

Table 659. GET /qrm/question_groups resource details
MIME Type
application/json

Table 660. GET /qrm/question_groups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

358 QRadar API Reference Guide

Table 661. GET /qrm/question_groups response codes
HTTP Response
Code Unique Code Description
200 The question groups were retrieved.
500 1020 An error occurred during the attempt to retrieve the
question groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

Chapter 6. REST API V8.0 References 359

 GET /qrm/question_groups/{group_id}
Retrieves a question group.

Retrieves a question group.

Table 662. GET /qrm/question_groups/{group_id} resource details
MIME Type
application/json

Table 663. GET /qrm/question_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 664. GET /qrm/question_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The question group was retrieved.
404 1002 The question group does not exist.
500 1020 An error occurred during the attempt to retrieve the
question group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

360 QRadar API Reference Guide

 Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/question_groups/{group_id}
Updates the owner of a question group.

Updates the owner of a question group.

Table 665. POST /qrm/question_groups/{group_id} resource details
MIME Type
application/json

Table 666. POST /qrm/question_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 361

 Table 667. POST /qrm/question_groups/{group_id} request body details
MIME
Parameter Data Type Type Description Sample
group Object application/ Required - Group object { "child_groups": [ 42 ], "child_items": [ "String"
json with the owner set to a ], "description": "String", "id": 42, "level": 42,
valid deployed user. "name": "String", "owner": "String", "parent_id":
42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Table 668. POST /qrm/question_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The question group was updated.
404 1002 The question group does not exist.
409 1004 The provided user does not have the required
capabilities to own the question group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
question group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"

362 QRadar API Reference Guide

 ],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/question_groups/{group_id}
Deletes a question group.

Deletes a question group.

Table 669. DELETE /qrm/question_groups/{group_id} resource details
MIME Type
text/plain

Table 670. DELETE /qrm/question_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Table 671. DELETE /qrm/question_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
204 The question group was deleted.
404 1002 The question group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
question group.

Chapter 6. REST API V8.0 References 363

 Response Description

Response Sample

GET /qrm/simulation_groups
Retrieves a of list the simulation groups.

Retrieves a list of the simulation groups.

Table 672. GET /qrm/simulation_groups resource details
MIME Type
application/json

Table 673. GET /qrm/simulation_groups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 674. GET /qrm/simulation_groups response codes

HTTP Response
Code Unique Code Description
200 The simulation groups were retrieved.
500 1020 An error occurred during the attempt to retrieve the
simulation groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.

364 QRadar API Reference Guide

 v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/simulation_groups/{group_id}
Retrieves a simulation group.

Retrieves a simulation group.

Table 675. GET /qrm/simulation_groups/{group_id} resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 365

 Table 676. GET /qrm/simulation_groups/{group_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 677. GET /qrm/simulation_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The simulation group were retrieved.
404 1002 The simulation group does not exist.
500 1020 An error occurred during the attempt to retrieve the
simulation group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,

366 QRadar API Reference Guide

 "level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/simulation_groups/{group_id}
Updates the owner of a simulation group.

Updates the owner of a simulation group.

Table 678. POST /qrm/simulation_groups/{group_id} resource details
MIME Type
application/json

Table 679. POST /qrm/simulation_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 367

 Table 680. POST /qrm/simulation_groups/{group_id} request body details
MIME
Parameter Data Type Type Description Sample
group Object application/ Required - Group object { "child_groups": [ 42 ], "child_items": [ "String"
json with the owner set to a ], "description": "String", "id": 42, "level": 42,
valid deployed user. "name": "String", "owner": "String", "parent_id":
42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Table 681. POST /qrm/simulation_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The simulation group was updated.
404 1002 The simulation group does not exist.
409 1004 The provided user does not have the required
capabilities to own the simulation group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
simulation group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"

368 QRadar API Reference Guide

 ],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/simulation_groups/{group_id}
Deletes a simulation group.

Deletes a simulation group.

Table 682. DELETE /qrm/simulation_groups/{group_id} resource details
MIME Type
text/plain

Table 683. DELETE /qrm/simulation_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Table 684. DELETE /qrm/simulation_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
204 The simulation group has been deleted.
404 1002 The simulation group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
simulation group.

Chapter 6. REST API V8.0 References 369

 Response Description

Response Sample

GET /qrm/topology_saved_search_groups
Retrieves a list of topology saved search groups.

Retrieves a list of topology saved search groups.

Table 685. GET /qrm/topology_saved_search_groups resource details
MIME Type
application/json

Table 686. GET /qrm/topology_saved_search_groups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 687. GET /qrm/topology_saved_search_groups response codes

HTTP Response
Code Unique Code Description
200 The topology saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the
topology saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.

370 QRadar API Reference Guide

 v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/topology_saved_search_groups/{group_id}
Retrieves a topology saved search group.

Retrieves a topology saved search group.

Table 688. GET /qrm/topology_saved_search_groups/{group_id} resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 371

 Table 689. GET /qrm/topology_saved_search_groups/{group_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 690. GET /qrm/topology_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The topology saved search group was retrieved.
404 1002 The topology saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the
topology saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,

372 QRadar API Reference Guide

 "level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/topology_saved_search_groups/{group_id}
Updates the owner of an topology saved search group.

Updates the owner of an topology saved search group.

Table 691. POST /qrm/topology_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 692. POST /qrm/topology_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 373

 Table 693. POST /qrm/topology_saved_search_groups/{group_id} request body details
MIME
Parameter Data Type Type Description Sample
group Object application/ Required - Group object { "child_groups": [ 42 ], "child_items": [ "String"
json with the owner set to a ], "description": "String", "id": 42, "level": 42,
valid deployed user. "name": "String", "owner": "String", "parent_id":
42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Table 694. POST /qrm/topology_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The topology saved search group was updated.
404 1002 The topology saved search group does not exist.
409 1004 The provided user does not have the required
capabilities to own the topology saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
topology saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"

374 QRadar API Reference Guide

 ],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/topology_saved_search_groups/{group_id}
Deletes a topology saved search group.

Deletes a topology saved search group.

Table 695. DELETE /qrm/topology_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 696. DELETE /qrm/topology_saved_search_groups/{group_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Table 697. DELETE /qrm/topology_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
204 The topology saved search group was deleted.
404 1002 The topology saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
topology saved search group.

Chapter 6. REST API V8.0 References 375

 Response Description

Response Sample

QRadar Vulnerability Manager endpoints

Use the references for REST API V8.0 QRadar Vulnerability Manager endpoints.

GET /qvm/assets
List the assets with discovered vulnerabilities present in the asset model. The
response contains all available RESTful resources.
Table 698. GET /qvm/assets resource details
MIME Type
application/json

Table 699. GET /qvm/assets request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 700. GET /qvm/assets response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by asset
completed successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of assets data

Response Sample

GET /qvm/filters
Get a list of the allowable filters that can be used or applied against /qvm
endpoints.
v /qvm/assets
v /qvm/vulns
v /qvm/vulninstances
v /qvm/openservices
v /qvm/networks
v queries

376 QRadar API Reference Guide

 Table 701. GET /qvm/filters resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 702. GET /qvm/filters response codes
HTTP Response
Code Unique Code Description
200 The search executed successfully
420 9102 An error occurred while executing the search

Response Description

list of Filters.

Response Sample

GET /qvm/network
List the networks present in the asset model with vulnerabilities present. The
response contains all available RESTful resources
Table 703. GET /qvm/network resource details
MIME Type
application/json

Table 704. GET /qvm/network request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 705. GET /qvm/network response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by network
completed successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of network related data

Chapter 6. REST API V8.0 References 377

 Response Sample

GET /qvm/openservices
List the openservices present in the asset model with vulnerabilities present. The
response will contain all available RESTful resources
Table 706. GET /qvm/openservices resource details
MIME Type
application/json

Table 707. GET /qvm/openservices request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 708. GET /qvm/openservices response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by open
service completed successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of open services related data

Response Sample

GET /qvm/saved_search_groups
Retrieves a list of vulnerability saved search groups.

Retrieves a list of vulnerability saved search groups.

Table 709. GET /qvm/saved_search_groups resource details
MIME Type
application/json

378 QRadar API Reference Guide

Table 710. GET /qvm/saved_search_groups request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 711. GET /qvm/saved_search_groups response codes

HTTP Response
Code Unique Code Description
200 The vulnerability saved search groups were
returned.
500 1020 An error occurred during the attempt to retrieve the
vulnerability saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Chapter 6. REST API V8.0 References 379

 Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qvm/saved_search_groups/{group_id}
Retrieves a vulnerability saved search group.

Retrieves a vulnerability saved search group.

Table 712. GET /qvm/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 713. GET /qvm/saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

380 QRadar API Reference Guide

Table 714. GET /qvm/saved_search_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
200 The vulnerability saved search group was retrieved.
404 1002 The vulnerability saved search group does not exist.
422 1005 null
500 1020 An error occurred during the attempt to retrieve the
vulnerability saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group. (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Chapter 6. REST API V8.0 References 381

 POST /qvm/saved_search_groups/{group_id}
Updates the owner of an vulnerability saved search group.

Updates the owner of an vulnerability saved search group.

Table 715. POST /qvm/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 716. POST /qvm/saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 717. POST /qvm/saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/json Required - Group object { "child_groups": [ 42 ], "child_items": [ "String" ],
with the owner set to a "description": "String", "id": 42, "level": 42, "name":
valid deployed user. "String", "owner": "String", "parent_id": 42, "type":
"String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 718. POST /qvm/saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The vulnerability saved search group was updated.
404 1002 The vulnerability saved search group does not exist.
409 1004 The provided user does not have the required
capabilities to own the vulnerability saved search
group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
vulnerability saved search group.

382 QRadar API Reference Guide

 Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qvm/saved_search_groups/{group_id}
Deletes a vulnerability saved search group.

Deletes a vulnerability saved search group.

Table 719. DELETE /qvm/saved_search_groups/{group_id} resource details
MIME Type
text/plain

Chapter 6. REST API V8.0 References 383

 Table 720. DELETE /qvm/saved_search_groups/{group_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Table 721. DELETE /qvm/saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
204 The vulnerability saved search group was deleted.
404 1002 The vulnerability saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
vulnerability saved search group.

Response Description

Response Sample

GET /qvm/saved_searches
Retrieves a list of vulnerability instance saved searches.

Retrieves a list of vulnerability instance saved searches.

Table 722. GET /qvm/saved_searches resource details
MIME Type
application/json

Table 723. GET /qvm/saved_searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

384 QRadar API Reference Guide

 Table 723. GET /qvm/saved_searches request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 724. GET /qvm/saved_searches response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the list of vulnerability
instance saved searches completed successfully.
500 1020 An error occurred while trying to retrieve the list of
saved searches.

Response Description
A list of vulnerability instance saved searches that can be used or applied against:
v /qvm/saved_searches/{saved_search_id}/vuln_instances
v /qvm/assets
v /qvm/vulns
v /qvm/openservices
v /qvm/networks

Each saved search that is returned includes an ID, name, and list of filters that
make up this saved search.

Response Sample
[
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}
]

GET /qvm/saved_searches/vuln_instances/{task_id}/results/
assets
Lists the Vulnerability Instances assets that are returned from the vulnerability
instance saved search.

Chapter 6. REST API V8.0 References 385

 Lists the Vulnerability Instances assets that are returned from the saved search.
Table 725. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets resource
details
MIME Type
application/json

Table 726. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 727. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets response

codes
HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by instance
completed successfully.
404 1002 Resource not found.
500 1020 An error occurred while retrieving results.

Response Description

A list of assets associated with the vulnerability instance data.

386 QRadar API Reference Guide

 Response Sample
[{"risk_policies": [{"passed": true,
"name": "String",
"last_evaluated": 42,
"question_type": "String",
"groups": ["String"]}],
"id": 42,
"domain_id": 42,
"interfaces": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String",
"ip_addresses": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"value": "String",
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"type": "String",
"network_name": "String"
}]
}],
"hostnames": ["String"],
"properties": [{"id": 42,
"name": "String",
"value": "String",
"last_reported": 42,
"type_id": 42,
"last_reported_by": "String"
}],
"operating_systems": [{"last_seen_date": 42,
"name": "String"
}]
}]

GET /qvm/saved_searches/vuln_instances/{task_id}/results/
vuln_instances
Lists the Vulnerability Instances returned from a vulnerability instance saved
search.

Lists the Vulnerability Instances returned from a saved search.

Table 728. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances
resource details
MIME Type
application/json

Table 729. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances

request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

Chapter 6. REST API V8.0 References 387

 Table 729. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances
request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 730. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances

response codes
HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by instance
completed successfully.
404 1002 Resource not found
500 1020 An error occurred while retrieving results

Response Description

A list of vulnerability instance data.

Response Sample
[{"id": 42,
"cvss_environmental_score_string": "String",
"last_seen_date": 42,
"asset_id": 42,
"domain_id": 42,
"relevant_patches": [{"security_notice": "String",
"description": "String",
"patch_type": "String <one of: OS, NONOS>"
}],
"cvss_environmental_score": 42.5,
"seen_by_scan_profile": "String",

388 QRadar API Reference Guide

 "risk_score": 42.5,
"vulnerability_id": 42,
"first_seen_date": 42
}]

GET /qvm/saved_searches/vuln_instances/{task_id}/results/
vulnerabilities
List the Vulnerability Instances vulnerabilities returned from the saved search.
Table 731. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities
resource details
MIME Type
application/json

Table 732. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 733. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities

response codes
HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by instance
completed successfully
404 1002 Resource not found
500 1020 Error while retrieving results

Chapter 6. REST API V8.0 References 389

 Response Description

list of vulnerability instance data

Response Sample
[{"cvss_base_score_string": "String",
"virtual_patches": [{"device": "String",
"qid": "String",
"signature": "String"
}],
"osvdb_title": "String",
"cvss_temporal_score": 42.5,
"cvss_base_score": 42.5,
"concern": "String",
"cve_ids": ["String"],
"critical_details": "String",
"risk_factor": {"name": "String <one of: High,
Medium,
Low,
Warning>",
"code": 42
},
"cvss_temporal_score_string": "String",
"severity": {"name": "String <one of: Patch,
Urgent,
Critical,
High,
Medium,
Low>",
"code": 42
},
"remediation": "String",
"id": 42, "patches": [{"security_notice": "String",
"description": "String"
}],
"description": "String"
}]

GET /qvm/saved_searches/vuln_instances/{task_id}/status
Retrieves the current status of a vulnerability instance search that was initiated.

Retrieves the current status of a vulnerability instance search that was initiated.
Table 734. GET /qvm/saved_searches/vuln_instances/{task_id}/status resource details
MIME Type
application/json

Table 735. GET /qvm/saved_searches/vuln_instances/{task_id}/status request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

390 QRadar API Reference Guide

 Table 735. GET /qvm/saved_searches/vuln_instances/{task_id}/status request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 736. GET /qvm/saved_searches/vuln_instances/{task_id}/status response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the current status of the
vulnerability instance search completed successfully.
404 1002 Resource not found.
500 1020 An error occurred while retrieving status.

Response Description

Returns the status of the selected vulnerability instance search.

Response Sample
{
"id": 42,
"retention_period_in_days": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED, EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /qvm/saved_searches/vuln_instances/{task_id}/status
Updates the status of a vulnerability instance saved search.

Updates the status of a vulnerability instance saved search.

Table 737. POST /qvm/saved_searches/vuln_instances/{task_id}/status resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 391

 Table 738. POST /qvm/saved_searches/vuln_instances/{task_id}/status request parameter
details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain Required. The ID of the
(Integer) task to update.
status query Optional String text/plain Optional. The only
accepted value is
CANCELLED. If this value
is provided, the search is
cancelled.
retention_period_in_days query Optional Number text/plain Optional. Set the data
(Integer) retention period in days
for the results. Accepted
values 0 - 14. Use 0 to
delete a result at the next
clean up cycle. Default
data retention period is 2
days.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 739. POST /qvm/saved_searches/vuln_instances/{task_id}/status response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the list of vulnerability
instance saved searches completed successfully.
403 1009 You do not have the proper capabilities to retrieve
the Vulnerability Instance Saved Search.
404 1002 Resource not found.
409 1004 The current status of the search prevented the task
from being cancelled.
422 1005 A request parameter is not valid.
500 1020 An error occurred while retrieving status.

Response Description

Returns the status of the selected Vulnerability Instance search.

Response Sample
{
"id": 42,
"retention_period_in_days": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

392 QRadar API Reference Guide

 PROCESSING,
QUEUED,
RESUMING>"
}

GET /qvm/saved_searches/{saved_search_id}
Retrieves a vulnerability instance saved search.

Retrieves a vulnerability instance saved search.

Table 740. GET /qvm/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 741. GET /qvm/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 742. GET /qvm/saved_searches/{saved_search_id} response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the list of vulnerability
instance saved searches completed successfully
404 1002 The Saved Search does not exist
500 1020 An error occurred while trying to retrieve the
vulnerability instance saved search

Response Description

A vulnerability instance saved search that can be used or applied against:

v /qvm/saved_searches/{saved_search_id}/vuln_instances
v /qvm/assets
v /qvm/vulns
v /qvm/openservices
v /qvm/networks

The saved search contains an ID, name, and list of filters that make up this saved
search.

Chapter 6. REST API V8.0 References 393

 Response Sample
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}

POST /qvm/saved_searches/{saved_search_id}
Updates the vulnerability saved search owner only.

Updates the vulnerability saved search owner only.

Table 743. POST /qvm/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 744. POST /qvm/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 745. POST /qvm/saved_searches/{saved_search_id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/ null { "filters": [ { "operator":
json "String", "parameter":
"String", "value": "String"
} ], "id": 42, "name":
"String", "owner": "String"
}

Table 746. POST /qvm/saved_searches/{saved_search_id} response codes

HTTP Response
Code Unique Code Description
200 The vulnerability saved search was updated.
403 1009 You do not have the required capabilities to update
the vulnerability saved search.
404 1002 The vulnerability saved search does not exist.
409 1004 The provided user does not have the required
capabilities to own the vulnerability saved search.

394 QRadar API Reference Guide

 Table 746. POST /qvm/saved_searches/{saved_search_id} response codes (continued)
HTTP Response
Code Unique Code Description
422 1005 A request parameter is not valid.
500 1020 null

Response Description
The vulnerability saved search after it was updated. A Vulnerability Saved Search
object contains the following fields:
v id - Long - The ID of the asset saved search.
v name - String - The name of the asset saved search.
v owner - String - The owner of the asset saved search.
v isShared - Boolean - True if the asset saved search is shared with other users.
v description - String - The description of the asset saved search.
v filters - List of Strings - The asset saved search filters.
v columns - List of Strings - The asset saved search columns.

Response Sample
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String",
"owner": "String"
}

DELETE /qvm/saved_searches/{saved_search_id}
Deletes a vulnerability saved search.

Deletes a vulnerability saved search.

Table 747. DELETE /qvm/saved_searches/{saved_search_id} resource details
MIME Type
text/plain

Table 748. DELETE /qvm/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)

Table 749. DELETE /qvm/saved_searches/{saved_search_id} response codes

HTTP Response
Code Unique Code Description
204 The vulnerability saved search was deleted.

Chapter 6. REST API V8.0 References 395

 Table 749. DELETE /qvm/saved_searches/{saved_search_id} response codes (continued)
HTTP Response
Code Unique Code Description
403 1009 You do not have the required capabilities to delete
the vulnerability saved search.
404 1002 The vulnerability saved search does not exist.
500 1020 null

Response Description

Response Sample

GET /qvm/saved_searches/{saved_search_id}/vuln_instances
Creates the Vulnerability Instances search. This search returns a maximum of
100,000 results.
Table 750. GET /qvm/saved_searches/{saved_search_id}/vuln_instances resource details
MIME Type
application/json

Table 751. GET /qvm/saved_searches/{saved_search_id}/vuln_instances request parameter

details
Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain ID of saved search
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in a
list based on the
contents of various
fields.
Range header Optional String text/plain Optional - Specify the
range for the results that
you want to return, up
to 100,000 results. For
example, 0-599,
200-99999. The list is
indexed and begins at
zero.

Result pagination example:

To return the first 100,000 rows, follow these steps:

396 QRadar API Reference Guide

 1. Run the GET - /qvm/saved_searches/{saved_search_id}/vuln_instances
endpoint with a range of 0-99999 and a saved_search_id that equals 2.
2. Run the GET - /qvm/saved_searches/vuln_instances/{task_id}/status
endpoint to check search the status
3. When the search status changes to COMPLETED, run the GET -
/qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances to
get the vulnerability instances results.
Table 752. GET /qvm/saved_searches/{saved_search_id}/vuln_instances response codes
HTTP Response
Code Unique Code Description
201 The vulnerability instance search is queued.
404 1002 null
500 1020 null

Response Description

The response returns a task ID.

Response Sample
{
"id": 42,
"retention_period_in_days": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /qvm/tickets/assign
Update the remediation ticket for the assigned vulnerability
Table 753. POST /qvm/tickets/assign resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 397

 Table 754. POST /qvm/tickets/assign request body details
Parameter Data Type MIME Type Description Sample
ticket JSON application/json [ { "ticketId":"1000",
'ticketId': required. "status":"Opened", "priority":"Critical",
"dueDate":"2015-01-04 12:00:00",
"assignedUser":"admin",
'priority' one of required :
"comment":"testComment",
Critical, Major, Minor,
"commentUser":"admin" } ]
Warning, Informational.

'status' one of required :

Opened, Fixed, Re-Opened,
Closed .

'dueDate' Optional :
yyyy-MM-dd HH:mm:ss.

'assignedUser' required : valid

QRadar user account name or
a valid email.

'comment' Optional : text.

'commentUser' Optional :
valid QRadar user account
name, if not included will
default current API user.

Table 755. POST /qvm/tickets/assign response codes

HTTP Response
Code Unique Code Description
200 The request to assign a ticket completed successfully
420 9104 An error occurred while trying to assign a ticket due
to invalid arguments

Response Description

success message if update succeed

Response Sample

GET /qvm/vulns
List the Vulnerabilities present in the asset model. The response will contain all
available RESTful resources
Table 756. GET /qvm/vulns resource details
MIME Type
application/json

Table 757. GET /qvm/vulns request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

398 QRadar API Reference Guide

 Table 758. GET /qvm/vulns response codes
HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities completed
successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of vulnerability data

Response Sample

Reference data endpoints

Use the references for REST API V8.0 reference data endpoints.

GET /reference_data/map_delete_tasks/{task_id}
Retrieves the delete reference data map task status.

Retrieves the delete reference data map task status.

Table 759. GET /reference_data/map_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 760. GET /reference_data/map_delete_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 761. GET /reference_data/map_delete_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Chapter 6. REST API V8.0 References 399

 Response Description

A Delete Task Status object and the location header set to the task status url
"/api/reference_data/maps/map_delete_tasks/{task_id}". A Delete Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /reference_data/map_dependent_tasks/{task_id}
Retrieves the dependent reference data map task status.

Retrieves the dependent reference data map task status.

Table 762. GET /reference_data/map_dependent_tasks/{task_id} resource details
MIME Type
application/json

400 QRadar API Reference Guide

Table 763. GET /reference_data/map_dependent_tasks/{task_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 764. GET /reference_data/map_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/reference_data/maps/map_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation the
task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.

Chapter 6. REST API V8.0 References 401

 status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",

402 QRadar API Reference Guide

 "task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /reference_data/map_dependent_tasks/{task_id}
Cancels the dependent reference data map task.

Cancels the dependent reference data map task.

Table 765. POST /reference_data/map_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 766. POST /reference_data/map_dependent_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 403

 Table 767. POST /reference_data/map_dependent_tasks/{task_id} request body details
MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Table 768. POST /reference_data/map_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The Delete task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state
422 1005 A request parameter is not valid
500 1020 An error occurred during the attempt to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/reference_data/maps/map_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation the
task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.

404 QRadar API Reference Guide

v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,

Chapter 6. REST API V8.0 References 405

 PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /reference_data/map_dependent_tasks/{task_id}/results
Retrieves the reference data map dependent task results.

Retrieves the reference data map dependent task results.

Table 769. GET /reference_data/map_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 770. GET /reference_data/map_dependent_tasks/{task_id}/results request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 771. GET /reference_data/map_dependent_tasks/{task_id}/results response codes

HTTP Response
Code Unique Code Description
200 The reference data map dependents were retrieved.

406 QRadar API Reference Guide

Table 771. GET /reference_data/map_dependent_tasks/{task_id}/results response
codes (continued)
HTTP Response
Code Unique Code Description
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
reference data maps.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource. ( Default
resources can have localized names )
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task
has permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,

Chapter 6. REST API V8.0 References 407

 FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /reference_data/map_of_sets
Retrieve a list of all reference map of sets.
Table 772. GET /reference_data/map_of_sets resource details
MIME Type
application/json

Table 773. GET /reference_data/map_of_sets request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

408 QRadar API Reference Guide

 Table 774. GET /reference_data/map_of_sets response codes
HTTP Response
Code Unique Code Description
200 The reference map of sets list has been retrieved
500 1020 An error occurred while attempting to retrieve all of
the reference map of sets

Response Description

A list of all of the reference map of sets. This returns information about the map of
sets but not the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}
]

POST /reference_data/map_of_sets
Create a new reference map of sets.
Table 775. POST /reference_data/map_of_sets resource details
MIME Type
application/json

Table 776. POST /reference_data/map_of_sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference map of sets
to create
element_type query Required String text/plain Required - The element
type for the values
allowed in the reference
map of sets. The allowed
values are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented
in milliseconds since the
Unix Epoch January 1st
1970.
key_label query Optional String text/plain Optional - The label to
describe the keys
value_label query Optional String text/plain Optional - The label to
describe the data values

Chapter 6. REST API V8.0 References 409

 Table 776. POST /reference_data/map_of_sets request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
timeout_type query Optional String text/plain Optional - The allowed
values are
"FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last
seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for
example: "1 month" or "5
minutes"
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 777. POST /reference_data/map_of_sets response codes

HTTP Response
Code Unique Code Description
201 A new reference map of sets was successfully
created
409 1004 The reference map of sets could not be created, the
name provided is already in use. Please change the
name and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference map of sets

Response Description
Information about the newly created reference map of sets.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

410 QRadar API Reference Guide

POST /reference_data/map_of_sets/bulk_load/{name}
Adds or updates data in a reference map of sets.

Adds or updates data in a reference map of sets.

Table 778. POST /reference_data/map_of_sets/bulk_load/{name} resource details
MIME Type
application/json

Table 779. POST /reference_data/map_of_sets/bulk_load/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the map of sets to add
or update data in.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 780. POST /reference_data/map_of_sets/bulk_load/{name} request body details

MIME
Parameter Data Type Type Description Sample
data Array application/Required - The {"key1":["Data11","Data12"],
json JSON-formatted data "key2":["Data21","Data22"],
to add or update in "key3":["Data31","Data32"],
the reference map of "key4":["Data41","Data42"],
sets. "key5":["Data51","Data52"],
"key6":["Data61","Data62"]}

Table 781. POST /reference_data/map_of_sets/bulk_load/{name} response codes

HTTP Response
Code Unique Code Description
200 Data was successfully added or updated in the
reference map of sets.
400 1001 An error occurred parsing the JSON-formatted
message body.
404 1002 The reference map of sets does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to add or
update data in the reference map of sets.

Chapter 6. REST API V8.0 References 411

 Response Description

Information about the reference map of sets where data was added or updated.
This returns information about the reference map of sets but not the data that it
contains.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/map_of_sets/{name}
Return the reference map of sets identified by name.

Return the reference map of sets identified by name. If provided, limit specifies
the number of records to return starting at the record that is specified by offset. If
the number is not specified, then the first 20 records is returned.
Table 782. GET /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 783. GET /reference_data/map_of_sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to retrieve
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

412 QRadar API Reference Guide

 Table 784. GET /reference_data/map_of_sets/{name} response codes
HTTP Response
Code Unique Code Description
200 The reference map of sets has been retrieved
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the
reference map of sets

Response Description

The reference map of sets identified by the name specified in the request. The
portion of the reference map of sets' data returned is dependent on the limit and
offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": [
{
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
]
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/map_of_sets/{name}
Add or update an element in a reference map of sets.
Table 785. POST /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 786. POST /reference_data/map_of_sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to add or update
an element in
key query Required String text/plain Required - The key of
the set to add or
update

Chapter 6. REST API V8.0 References 413

 Table 786. POST /reference_data/map_of_sets/{name} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
value query Required String text/plain Required - The value to
add or update in the
reference map of sets.
Note: Date values must
be represented in
milliseconds since the
Unix Epoch January 1st
1970.
source query Optional String text/plain Optional - This
indicates where the
data originated. The
default value is
'reference data api'
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 787. POST /reference_data/map_of_sets/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference map of sets has had an element added
or updated
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference map of sets

Response Description

Information about the reference map of sets that has had an element added or
updated. This returns information about the reference map of sets but not the
contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,

414 QRadar API Reference Guide

 "time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

DELETE /reference_data/map_of_sets/{name}
Remove a map of sets or purge its contents.
Table 788. DELETE /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 789. DELETE /reference_data/map_of_sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to remove or purge
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference map of sets
should have its
contents purged (true),
keeping the reference
map of sets structure. If
the value is "false" or
not specified the
reference map of sets
will be removed
completely.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 790. DELETE /reference_data/map_of_sets/{name} response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Map of Sets deletion or purge
request has been accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference map of sets

Chapter 6. REST API V8.0 References 415

 Response Description

A status_id to retrieve the Reference Data Map of Sets deletion or purge status
with at /api/system/task_management/task/{status_id}. You can also find the url
in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

416 QRadar API Reference Guide

GET /reference_data/map_of_sets/{name}/dependents
Retrieves the dependents of the Map of Sets.

Initiates the retrieval of dependents of the Map of Sets

Table 791. GET /reference_data/map_of_sets/{name}/dependents resource details
MIME Type
application/json

Table 792. GET /reference_data/map_of_sets/{name}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets retrieve dependents
for
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 793. GET /reference_data/map_of_sets/{name}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Map of Sets dependent retrieval
request has been accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the
dependents for the reference map of sets

Response Description

A status_id to retrieve the Reference Data Map of Sets dependent retrieval status
with at /api/system/task_management/task/{status_id}. You can also find the url
in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,

Chapter 6. REST API V8.0 References 417

 "created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/map_of_sets/{name}/{key}
Remove a value from a reference map of sets.

Remove a value from a reference map of sets.

Table 794. DELETE /reference_data/map_of_sets/{name}/{key} resource details
MIME Type
application/json

418 QRadar API Reference Guide

Table 795. DELETE /reference_data/map_of_sets/{name}/{key} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to remove a value
from
key path Required String text/plain Required - The key of
the value to remove
value query Required String text/plain Required - The value to
remove from the
reference map of sets.
Note: Date values must
be represented in
milliseconds since the
Unix Epoch January 1st
1970.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 796. DELETE /reference_data/map_of_sets/{name}/{key} response codes

HTTP Response
Code Unique Code Description
200 The reference map of sets has had a value removed
404 1002 The reference map of sets does not exist
404 1003 The record does not exist in the reference map of
sets
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the
reference map of sets value

Response Description

Information about the reference map of sets that had a value removed. This returns
information about the reference map of sets but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,

Chapter 6. REST API V8.0 References 419

 "time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

GET /reference_data/map_of_sets_delete_tasks/{task_id}
Retrieves the delete reference data map of sets task status.

Retrieves the delete reference data map of sets task status.

Table 797. GET /reference_data/map_of_sets_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 798. GET /reference_data/map_of_sets_delete_tasks/{task_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 799. GET /reference_data/map_of_sets_delete_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Response Description
A Delete Task Status object and the location header set to the task status url
"/api/reference_data/map_of_sets/map_of_sets_delete_tasks/{task_id}". A Delete
Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.

420 QRadar API Reference Guide

 v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /reference_data/map_of_sets_dependent_tasks/{task_id}
Retrieves the dependent reference data map of sets task status.

Retrieves the dependent reference data map of sets task status.

Table 800. GET /reference_data/map_of_sets_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 801. GET /reference_data/map_of_sets_dependent_tasks/{task_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 421

 Table 802. GET /reference_data/map_of_sets_dependent_tasks/{task_id} response codes
HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL
"/api/reference_data/map_of_sets/map_of_sets_dependent_tasks/{task_id}". A
Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

422 QRadar API Reference Guide

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,

Chapter 6. REST API V8.0 References 423

 FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /reference_data/map_of_sets_dependent_tasks/{task_id}
Cancels the dependent reference data map of sets task.

Cancels the dependent reference data map of sets task.

Table 803. POST /reference_data/map_of_sets_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 804. POST /reference_data/map_of_sets_dependent_tasks/{task_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 805. POST /reference_data/map_of_sets_dependent_tasks/{task_id} request body

details
MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Table 806. POST /reference_data/map_of_sets_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.

424 QRadar API Reference Guide

Table 806. POST /reference_data/map_of_sets_dependent_tasks/{task_id} response
codes (continued)
HTTP Response
Code Unique Code Description
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/reference_data/map_of_sets/map_of_sets_dependent_tasks/{task_id}". A
Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Chapter 6. REST API V8.0 References 425

 Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,

426 QRadar API Reference Guide

 FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /reference_data/map_of_sets_dependent_tasks/{task_id}/
results
Retrieves the reference data map of sets dependent task results.

Retrieves the reference data map of sets dependent task results.

Table 807. GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results resource
details
MIME Type
application/json

Table 808. GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 809. GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results response

codes
HTTP Response
Code Unique Code Description
200 The reference data map of sets dependents have
been retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
reference data map of sets.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
Chapter 6. REST API V8.0 References 427
 v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has
permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

428 QRadar API Reference Guide

GET /reference_data/maps
Retrieve a list of all reference maps.
Table 810. GET /reference_data/maps resource details
MIME Type
application/json

Table 811. GET /reference_data/maps request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 812. GET /reference_data/maps response codes

HTTP Response
Code Unique Code Description
200 The reference map list has been retrieved
500 1020 An error occurred while attempting to retrieve all of
the reference maps

Response Description

A list of all of the reference maps. This returns information about the maps but not
the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",

Chapter 6. REST API V8.0 References 429

 "number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}
]

POST /reference_data/maps
Create a new reference map.
Table 813. POST /reference_data/maps resource details
MIME Type
application/json

Table 814. POST /reference_data/maps request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference map to
create
key_label query Optional String text/plain Optional - The label to
describe the keys
value_label query Optional String text/plain Optional - The label to
describe the data values
element_type query Required String text/plain Required - The element
type for the values
allowed in the reference
map. The allowed values
are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented
in milliseconds since the
Unix Epoch January 1st
1970.
timeout_type query Optional String text/plain Optional - The allowed
values are
"FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last
seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for
example: "1 month" or "5
minutes"

430 QRadar API Reference Guide

 Table 814. POST /reference_data/maps request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 815. POST /reference_data/maps response codes

HTTP Response
Code Unique Code Description
201 A new reference map was successfully created
409 1004 The reference map could not be created, the name
provided is already in use. Please change the name
and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference map

Response Description

Information about the newly created reference map.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/maps/bulk_load/{name}
Adds or updates data in a reference map.

Adds or updates data in a reference map.

Table 816. POST /reference_data/maps/bulk_load/{name} resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 431

 Table 817. POST /reference_data/maps/bulk_load/{name} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
map to add or update
data in.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 818. POST /reference_data/maps/bulk_load/{name} request body details

MIME
Parameter Data Type Type Description Sample
data Array application/ Required - The {"key1":"Data1",
json JSON-formatted data to "key2":"Data2",
add or update in the "key3":"Data3",
reference map. "key4":"Data4",
"key5":"Data5",
"key6":"Data6"}

Table 819. POST /reference_data/maps/bulk_load/{name} response codes

HTTP Response
Code Unique Code Description
200 Data was successfully added or updated in the
reference map.
400 1001 An error occurred parsing the JSON-formatted
message body.
404 1002 The reference map does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to add or
update data in the reference map.

Response Description

Information about the reference map where data was added or updated. This
returns information about the reference map but not the data that it contains.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",

432 QRadar API Reference Guide

 "number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/maps/{name}
Retrieve the reference map identified by name.

Retrieve the reference map identified by name. If it is provided, limit specifies the
number of records to return starting at record that is specified by offset. If the
number is not specified, then the first 20 records are returned.
Table 820. GET /reference_data/maps/{name} resource details
MIME Type
application/json

Table 821. GET /reference_data/maps/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
retrieve
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 822. GET /reference_data/maps/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference map has been retrieved
404 1002 The reference map does not exist
422 1005 A request parameter is not valid

Chapter 6. REST API V8.0 References 433

 Table 822. GET /reference_data/maps/{name} response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred while attempting to retrieve the
reference map

Response Description
The reference map identified by the name specified in the request. The portion of
the reference map's data returned is dependent on the limit and offset specified in
the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": {
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/maps/{name}
Add or update an element in a reference map.
Table 823. POST /reference_data/maps/{name} resource details
MIME Type
application/json

Table 824. POST /reference_data/maps/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
add or update an
element in
key query Required String text/plain Required - The key
who's value we want to
add or update

434 QRadar API Reference Guide

Table 824. POST /reference_data/maps/{name} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
value query Required String text/plain Required - The value to
add or update in the
reference map. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
source query Optional String text/plain Optional - An
indication of where the
data originated. The
default value is
'reference data api'
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 825. POST /reference_data/maps/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference map has had an element added or
updated
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference map

Response Description

Information about the reference map that had an element added or updated. This
returns information about reference map but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

Chapter 6. REST API V8.0 References 435

 DELETE /reference_data/maps/{name}
Remove a reference map or purge its contents.
Table 826. DELETE /reference_data/maps/{name} resource details
MIME Type
application/json

Table 827. DELETE /reference_data/maps/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
remove or purge
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference map should
have its contents
purged (true), keeping
the reference map
structure. If the value is
"false" or not specified
the reference map will
be removed completely.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 828. DELETE /reference_data/maps/{name} response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Maps deletion or purge request
has been accepted and is in progress
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference map

Response Description

A status_id to retrieve the Reference Data Maps deletion or purge status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

436 QRadar API Reference Guide

 Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/maps/{name}/dependents
Retrieves the dependents of the Map.
Table 829. GET /reference_data/maps/{name}/dependents resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 437

 Table 830. GET /reference_data/maps/{name}/dependents request parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map
retrieve dependents for
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 831. GET /reference_data/maps/{name}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Maps dependent retrieval
request has been accepted and is in progress
404 1002 The reference Map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the
dependents for the reference map

Response Description

A status_id to retrieve the Reference Data Maps dependent retrieval status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,

438 QRadar API Reference Guide

 EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/maps/{name}/{key}
Remove a value from a reference map.

Remove a value from a reference map.

Table 832. DELETE /reference_data/maps/{name}/{key} resource details
MIME Type
application/json

Table 833. DELETE /reference_data/maps/{name}/{key} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
remove a value from
key path Required String text/plain Required - The key of
the value to remove
value query Required String text/plain Required - The value to
remove from the
reference map. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.

Chapter 6. REST API V8.0 References 439

 Table 833. DELETE /reference_data/maps/{name}/{key} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 834. DELETE /reference_data/maps/{name}/{key} response codes

HTTP Response
Code Unique Code Description
200 The reference map has had a value removed
404 1002 The reference map does not exist
404 1003 The record does not exist in the reference map
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the
value from the reference map

Response Description

Information about the reference map that had an element removed. This returns
information about map but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

GET /reference_data/set_delete_tasks/{task_id}
Retrieves the delete reference data set task status.

Retrieves the delete reference data set task status.

Table 835. GET /reference_data/set_delete_tasks/{task_id} resource details
MIME Type
application/json

440 QRadar API Reference Guide

Table 836. GET /reference_data/set_delete_tasks/{task_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 837. GET /reference_data/set_delete_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/reference_data/sets/set_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,

Chapter 6. REST API V8.0 References 441

 "status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /reference_data/set_dependent_tasks/{task_id}
Retrieves the dependent reference data set task status.

Retrieves the dependent reference data set task status.

Table 838. GET /reference_data/set_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 839. GET /reference_data/set_dependent_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 840. GET /reference_data/set_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
dependent task status.

Response Description
A Dependent Task Status object and the location header set to the task status URL
"/api/reference_data/sets/set_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:

442 QRadar API Reference Guide

v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the
task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,

Chapter 6. REST API V8.0 References 443

 INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /reference_data/set_dependent_tasks/{task_id}
Cancels the dependent reference data set task.

Cancels the dependent reference data set task.

Table 841. POST /reference_data/set_dependent_tasks/{task_id} resource details
MIME Type
application/json

444 QRadar API Reference Guide

Table 842. POST /reference_data/set_dependent_tasks/{task_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 843. POST /reference_data/set_dependent_tasks/{task_id} request body details

MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Table 844. POST /reference_data/set_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/reference_data/sets/set_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.

Chapter 6. REST API V8.0 References 445

 v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the
task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,

446 QRadar API Reference Guide

 RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /reference_data/set_dependent_tasks/{task_id}/results
Retrieves the reference data set dependent task results.

Retrieves the reference data set dependent task results.

Table 845. GET /reference_data/set_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 846. GET /reference_data/set_dependent_tasks/{task_id}/results request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

Chapter 6. REST API V8.0 References 447

 Table 846. GET /reference_data/set_dependent_tasks/{task_id}/results request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 847. GET /reference_data/set_dependent_tasks/{task_id}/results response codes

HTTP Response
Code Unique Code Description
200 The reference data set dependents were retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
reference data sets.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has
permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,

448 QRadar API Reference Guide

 QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /reference_data/sets
Retrieve a list of all reference sets.
Table 848. GET /reference_data/sets resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 449

 Table 849. GET /reference_data/sets request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 850. GET /reference_data/sets response codes

HTTP Response
Code Unique Code Description
200 The reference set list has been retrieved
500 1020 An error occurred while attempting to retrieve all of
the reference sets

Response Description

A list of all of the reference sets. This returns information about the sets but not the
contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}
]

450 QRadar API Reference Guide

POST /reference_data/sets
Create a new reference set.
Table 851. POST /reference_data/sets resource details
MIME Type
application/json

Table 852. POST /reference_data/sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference set being
created
element_type query Required String text/plain Required - The element
type for the values
allowed in the reference
set. The allowed values
are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented
in milliseconds since the
Unix Epoch January 1st
1970.
timeout_type query Optional String text/plain Optional - The allowed
values are
"FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last
seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for
example: "1 month" or "5
minutes"
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 853. POST /reference_data/sets response codes

HTTP Response
Code Unique Code Description
201 A new reference set was successfully created

Chapter 6. REST API V8.0 References 451

 Table 853. POST /reference_data/sets response codes (continued)
HTTP Response
Code Unique Code Description
409 1004 The reference set could not be created, the name
provided is already in use. Please change the name
and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference set

Response Description

Information about the newly created reference set.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/sets/bulk_load/{name}
Add or update data in a reference set.
Table 854. POST /reference_data/sets/bulk_load/{name} resource details
MIME Type
application/json

Table 855. POST /reference_data/sets/bulk_load/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
set to add or update
data in
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

452 QRadar API Reference Guide

 Table 856. POST /reference_data/sets/bulk_load/{name} request body details
Parameter Data Type MIME Type Description Sample
data Array application/json Required - The JSON ["String", "String",
formated data to add or "String", "String",
update in the reference "String", "String",
set "String", "String",
"String", "String",
"String"]

Table 857. POST /reference_data/sets/bulk_load/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference set has had data added or updated
400 1001 An error occurred parsing the JSON formatted
message body
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference set

Response Description
Information about the reference set that had data added or updated. This returns
information about the reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/sets/{name}
Retrieve the reference set identified by name.

Retrieve the reference set that is identified by name. If it is provided, limit

specifies the number of records to return starting at the record that is specified by
offset. If the number is not specified, then the first 20 records are returned.
Table 858. GET /reference_data/sets/{name} resource details
MIME Type
application/json

Table 859. GET /reference_data/sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference set to
retrieve

Chapter 6. REST API V8.0 References 453

 Table 859. GET /reference_data/sets/{name} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 860. GET /reference_data/sets/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference set has been retrieved
404 1002 The reference set does not exist.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the
reference set

Response Description

The reference set identified by the name specified in the request. The portion of the
set's data returned is dependent on the limit and offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": [
{
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
],
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",

454 QRadar API Reference Guide

 "number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/sets/{name}
Add or update an element in a reference set.
Table 861. POST /reference_data/sets/{name} resource details
MIME Type
application/json

Table 862. POST /reference_data/sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference set to add
or update an element in
value query Required String text/plain Required - The value to
add or update in the
reference set. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
source query Optional String text/plain Optional - An
indication of where the
data originated. The
default value is
'reference data api'
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 863. POST /reference_data/sets/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference set has had an element added or
updated
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update an element in the reference set

Chapter 6. REST API V8.0 References 455

 Response Description

Information about the reference set that had an element added or updated. This
returns information about the reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

DELETE /reference_data/sets/{name}
Remove a reference set or purge its contents.
Table 864. DELETE /reference_data/sets/{name} resource details
MIME Type
application/json

Table 865. DELETE /reference_data/sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the set to remove or
purge
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference set should
have its contents
purged (true), keeping
the reference set
structure. If the value is
"false" or not specified
the reference set will be
removed completely.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

456 QRadar API Reference Guide

Table 866. DELETE /reference_data/sets/{name} response codes
HTTP Response
Code Unique Code Description
202 The Reference Data Sets deletion or purge request
has been accepted and is in progress
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference set

Response Description

A status_id to retrieve the Reference Data Sets deletion or purge status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,

Chapter 6. REST API V8.0 References 457

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/sets/{name}/{value}
Remove a value from a reference set.

Remove a value from a reference set.

Table 867. DELETE /reference_data/sets/{name}/{value} resource details
MIME Type
application/json

Table 868. DELETE /reference_data/sets/{name}/{value} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference set to
remove a value from
value path Required String text/plain Required - The value to
remove from the
reference set. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 869. DELETE /reference_data/sets/{name}/{value} response codes

HTTP Response
Code Unique Code Description
200 The reference set that had a value removed
404 1002 The reference set does not exist
404 1003 The record does not exist in the reference set
422 1005 A request parameter is not valid

458 QRadar API Reference Guide

 Table 869. DELETE /reference_data/sets/{name}/{value} response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred while attempting to remove the
value from the reference set.

Response Description
Information about the reference set that had an value removed. This returns
information about the reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/sets/{name}/dependents
Retrieves the dependents of the set.
Table 870. GET /reference_data/sets/{name}/dependents resource details
MIME Type
application/json

Table 871. GET /reference_data/sets/{name}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the Reference Set
retrieve dependents for
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 872. GET /reference_data/sets/{name}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Sets dependent retrieval request
has been accepted and is in progress
404 1002 The Reference Set does not exist

Chapter 6. REST API V8.0 References 459

 Table 872. GET /reference_data/sets/{name}/dependents response codes (continued)
HTTP Response
Code Unique Code Description
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the
dependents for the Reference Set

Response Description

A status_id to retrieve the Reference Data Sets dependent retrieval status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,

460 QRadar API Reference Guide

 RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/tables
Retrieve a list of all reference tables.
Table 873. GET /reference_data/tables resource details
MIME Type
application/json

Table 874. GET /reference_data/tables request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 875. GET /reference_data/tables response codes

HTTP Response
Code Unique Code Description
200 The reference table list has been retrieved
500 1020 An error occurred while attempting to retrieve all of
the reference tables

Response Description

A list of all of the reference tables. This returns information about the tables but
not the contained data.

Chapter 6. REST API V8.0 References 461

 Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}
]

POST /reference_data/tables
Create a new reference table.
Table 876. POST /reference_data/tables resource details
MIME Type
application/json

Table 877. POST /reference_data/tables request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference table to
create
element_type query Required String text/plain Required - The default
element type for the
values allowed in the
reference table. This is
used when values are
added or updated in the
reference table who's
inner key was not defined
in the key_name_types
parameter. The allowed
values are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented in
milliseconds since the
Unix Epoch January 1st
1970.
outer_key_label query Optional String text/plain Optional - The label to
describe the outer keys
timeout_type query Optional String text/plain Optional - The allowed
values are "FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for example:
"1 month" or "5 minutes"
key_name_types query Optional Array<Object> application/json Optional - A JSON
formatted string. This
array creates the inner key
names and corresponding
value types for the table

462 QRadar API Reference Guide

 Table 877. POST /reference_data/tables request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 878. POST /reference_data/tables response codes

HTTP Response
Code Unique Code Description
201 A new reference table was successfully created
409 1004 The reference table could not be created, the name
provided is already in use. Please change the name
and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference table

Response Description

Information about the newly created reference table.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/tables/bulk_load/{name}
Adds or updates data in a reference table.

Adds or updates data in a reference table.

Table 879. POST /reference_data/tables/bulk_load/{name} resource details
MIME Type
application/json

Table 880. POST /reference_data/tables/bulk_load/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
table to add or update
data in.

Chapter 6. REST API V8.0 References 463

 Table 880. POST /reference_data/tables/bulk_load/{name} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 881. POST /reference_data/tables/bulk_load/{name} request body details

MIME
Parameter Data Type Type Description Sample
data Array application/ Required - The {"key1":{"col1":"Data11","col2":"Data12",
json JSON-formatted data to "col3":"Data13","col4":"Data14"},
add or update in the "key2":{"col1":"Data21","col2":"Data22",
reference table. "col3":"Data23","col4":"Data24"},
"key3":{"col1":"Data31","col2":"Data32",
"col3":"Data33","col4":"Data34"},
"key4":{"col1":"Data41","col2":"Data42",
"col3":"Data43","col4":"Data44"},
"key5":{"col1":"Data51","col2":"Data52",
"col3":"Data53","col4":"Data54"},
"key6":{"col1":"Data61","col2":"Data62",
"col3":"Data63","col4":"Data64"}}

Table 882. POST /reference_data/tables/bulk_load/{name} response codes

HTTP Response
Code Unique Code Description
200 Data was successfully added or updated in the
reference table.
400 1001 An error occurred parsing the JSON-formatted
message body.
404 1002 The reference table does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to add or
update data in the reference table.

Response Description
Information about the reference table where data was added or updated. This
returns information about the reference table but not the data that it contains.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",

464 QRadar API Reference Guide

 "number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/tables/{name}
Return the reference table identified by name.

Return the reference table that is identified by name. If it is provided, limit

specifies the number of records to return starting at the record that is specified by
offset. If the number is not specified, then the first 20 records are returned.
Table 883. GET /reference_data/tables/{name} resource details
MIME Type
application/json

Table 884. GET /reference_data/tables/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
retrieve
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 885. GET /reference_data/tables/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference table has been retrieved
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the
reference table

Chapter 6. REST API V8.0 References 465

 Response Description

The reference table identified by the name specified in the request. The portion of
the reference table's data returned is dependent on the limit and offset specified in
the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": {
"String": {
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
}
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/tables/{name}
Add or update an element in a reference table.

Add or update an element in a reference table. The value to be added must be of

the appropriate type. Either the type that corresponds to the innerKey that is
predefined for the reference table, or the default elementType of the reference table
Table 886. POST /reference_data/tables/{name} resource details
MIME Type
application/json

Table 887. POST /reference_data/tables/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
add or update an
element in
outer_key query Required String text/plain Required - The outer
key for the element to
add or update
inner_key query Required String text/plain Required - The inner
key for the element to
add or update

466 QRadar API Reference Guide

Table 887. POST /reference_data/tables/{name} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
value query Required String text/plain Required - The value to
add or update in the
reference table. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
source query Optional String text/plain Optional - An
indication of where the
data originated. The
default value is
'reference data api'
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 888. POST /reference_data/tables/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference table has had an element added or
updated
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference table

Response Description

Information about the reference table that had an element added or updated. This
returns information about the reference table but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",

Chapter 6. REST API V8.0 References 467

 "number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

DELETE /reference_data/tables/{name}
Removes a reference table or purge its contents.
Table 889. DELETE /reference_data/tables/{name} resource details
MIME Type
application/json

Table 890. DELETE /reference_data/tables/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
remove or purge
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference table should
have its contents
purged (true), keeping
the reference table
structure. If the value is
"false" or not specified
the reference table will
be removed completely.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 891. DELETE /reference_data/tables/{name} response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Tables deletion or purge request
has been accepted and is in progress
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference table

468 QRadar API Reference Guide

Response Description

A status_id to retrieve the Reference Data Tables deletion or purge status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

Chapter 6. REST API V8.0 References 469

 GET /reference_data/tables/{name}/dependents
Retrieves the dependents of the table.
Table 892. GET /reference_data/tables/{name}/dependents resource details
MIME Type
application/json

Table 893. GET /reference_data/tables/{name}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets retrieve dependents
for
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 894. GET /reference_data/tables/{name}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Tables dependent retrieval
request has been accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the
dependents for the reference map of sets

Response Description

A status_id to retrieve the Reference Data Tables dependent retrieval status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,

470 QRadar API Reference Guide

 "maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/tables/{name}/{outer_key}/{inner_key}
Removes a value from a reference table.

Remove a value from a reference table.

Table 895. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} resource details
MIME Type
application/json

Table 896. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
remove a value from

Chapter 6. REST API V8.0 References 471

 Table 896. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} request
parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
outer_key path Required String text/plain Required - The outer
key of the value to
remove
inner_key path Required String text/plain Required - The inner
key of the value to
remove
value query Required String text/plain Required - The value to
remove from the
reference table. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 897. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} response codes

HTTP Response
Code Unique Code Description
200 The reference table had had a value removed
404 1002 The reference table does not exist
404 1003 The record does not exist in the reference table
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the
reference table value

Response Description

Information about the reference table that had an element removed. This returns
information about table but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",

472 QRadar API Reference Guide

 "number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

Scanner endpoints
Use the references for REST API V8.0 scanner endpoints.

GET /scanner/profiles
Retrieves all of the currently created scan profiles.

No parameters are required and the following information should be retrieved for
each scan profile.
v scanProfileId
v scanProfileName
v description
v scanType
v scannerName
Table 898. GET /scanner/profiles resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 899. GET /scanner/profiles response codes
HTTP Response
Code Unique Code Description
200 The list of scan profiles was successfully returned
500 1030 Occurs when an attempt is made to list scan profiles
when certain conditions are not met, or when too
many scan requests have been made

Response Description

The list of scan profiles currently configured in QVM

Response Sample

POST /scanner/profiles/create
Initiates a request to create a new Scan Profile.

The request takes one parameter - createScanRequest, which is just a POJO. To

create the scan, you will need to build up a JSON object that contains the Scan
Profile name and IP addresses to scan. For example:
{name:New Scan Profile, ips:[10.100.85.135]}
Table 900. POST /scanner/profiles/create resource details
MIME Type
text/plain

Chapter 6. REST API V8.0 References 473

 Table 901. POST /scanner/profiles/create request body details
Parameter Data Type MIME Type Description Sample
scanProfile JSON application/json null null

Table 902. POST /scanner/profiles/create response codes

HTTP Response
Code Unique Code Description
200 The scan has been successfully created
419 9101 Occurs when a parameter is missing or invalid
500 1030 Occurs when an attempt is made to create a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been created successfully or not.

Response Sample
String

POST /scanner/profiles/start
Initiates a request to start an already created scanProfile.

The request takes one parameter - scanProfileId. To get a list of scanProfileIds, get
a list of the current scan profiles by initiating a 'profiles' request on the scanner
endpoint. The scanProfileId is validated and an appropriate message is returned.
Table 903. POST /scanner/profiles/start resource details
MIME Type
text/plain

Table 904. POST /scanner/profiles/start request parameter details

Parameter Type Optionality Data Type MIME Type Description
scanProfileId query Required String text/plain The unique id of the
scan profile we want to
start

Table 905. POST /scanner/profiles/start response codes

HTTP Response
Code Unique Code Description
200 The scan has been successfully started
403 1000 Occurs if the user does not have permission to start
a scan, or the scan is in progress
500 1030 Occurs when an attempt is made to start a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been started successfully or not.

474 QRadar API Reference Guide
 Response Sample
String

GET /scanner/scanprofiles
Retrieves all of the currently created scan profiles.

No parameters are required and the following information should be retrieved for
each scan profile.
v scanProfileId
v scanProfileName
v description
v scanType
v scannerName
v schedule
v status
v progress
v endTime
v duration
Table 906. GET /scanner/scanprofiles resource details
MIME Type
application/json

Table 907. GET /scanner/scanprofiles request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Chapter 6. REST API V8.0 References 475

 Table 908. GET /scanner/scanprofiles response codes
HTTP Response
Code Unique Code Description
200 The list of scan profiles was successfully returned
500 1030 Occurs when an attempt is made to list scan profiles
when certain conditions are not met, or when too
many scan requests have been made

Response Description

The list of scan profiles currently configured in QVM

Response Sample
[
{
"description": "String",
"duration": {
"days": 42,
"hours": 42,
"minutes": 42,
"months": 42,
"seconds": 42.5,
"type": "String",
"value": "String",
"years": 42
},
"endTime": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezoneOffset": 42,
"year": 42
},
"progress": 42,
"scanProfileId": 42,
"scanProfileName": "String",
"scanType": "String",
"scannerName": "String",
"schedule": "String",
"status": "String"
}
]

POST /scanner/scanprofiles
Initiates a request to create a new scanProfile.

The request takes one parameter - createScanRequest, which is just a POJO. To

create the scan, you will need to build up a JSON object that contains the Scan
Profile name and hosts to scan. For example:
{name:New Scan Profile, hosts:[10.100.85.135]}
Table 909. POST /scanner/scanprofiles resource details
MIME Type
text/plain

476 QRadar API Reference Guide

 Table 910. POST /scanner/scanprofiles request body details
Parameter Data Type MIME Type Description Sample
scanProfile Object application/json null { "description": "String",
"hosts": [ "String" ],
"name": "String" }

Table 911. POST /scanner/scanprofiles response codes

HTTP Response
Code Unique Code Description
200 The scan has been successfully created
500 1030 Occurs when an attempt is made to create a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been created successfully or not.

Response Sample
String

GET /scanner/scanprofiles/{profileid}
Retrieves a scan profile for a given Scan Profile ID.

No parameters are required and the following information should be retrieved for
each scan profile.
v scanProfileId
v name
v description
v scanType
v scannerName
v schedule
v status
v progress
v endTime
v duration
Table 912. GET /scanner/scanprofiles/{profileid} resource details
MIME Type
application/json

Table 913. GET /scanner/scanprofiles/{profileid} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain The unique id of the
scan profile we need to
retrieve information for

Chapter 6. REST API V8.0 References 477

 Table 913. GET /scanner/scanprofiles/{profileid} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 914. GET /scanner/scanprofiles/{profileid} response codes

HTTP Response
Code Unique Code Description
200 The scan profile was successfully returned
500 1030 Occurs when an attempt is made to list a scan
profile when certain conditions are not met, or when
too many scan requests have been made

Response Description

The list of scan profiles currently configured in QVM

Response Sample
[
{
"description": "String",
"duration": {
"days": 42,
"hours": 42,
"minutes": 42,
"months": 42,
"seconds": 42.5,
"type": "String",
"value": "String",
"years": 42
},
"endTime": {
"date": 42,
"day": 42,

478 QRadar API Reference Guide

 "hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezoneOffset": 42,
"year": 42
},
"progress": 42,
"scanProfileId": 42,
"scanProfileName": "String",
"scanType": "String",
"scannerName": "String",
"schedule": "String",
"status": "String"
}
]

POST /scanner/scanprofiles/{profileid}
Update a scan profile. The Scan Profile ID is required.

The following information on a scan profile can be updated:

v name
v description
v IP addresses

For example:
{name:Updated Scan Profile, ips:[10.100.85.135]}
Table 915. POST /scanner/scanprofiles/{profileid} resource details
MIME Type
application/json

Table 916. POST /scanner/scanprofiles/{profileid} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain The unique id of the
scan profile used to
update

Table 917. POST /scanner/scanprofiles/{profileid} request body details

Parameter Data Type MIME Type Description Sample
scanProfile JSON application/json null null

Table 918. POST /scanner/scanprofiles/{profileid} response codes

HTTP Response
Code Unique Code Description
202 The scan profile was successfully updated
500 1030 Occurs when an attempt is made to update a scan
profile when certain conditions are not met, or when
too many scan requests have been made

Chapter 6. REST API V8.0 References 479

 Response Description

A message to indicate whether the scan profile has updated or not.

Response Sample

DELETE /scanner/scanprofiles/{profileid}
Initiates a request to delete a scanProfile.

The request takes one parameter - the Scan Profile ID.

Table 919. DELETE /scanner/scanprofiles/{profileid} resource details
MIME Type
text/plain

Table 920. DELETE /scanner/scanprofiles/{profileid} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain null

Table 921. DELETE /scanner/scanprofiles/{profileid} response codes

HTTP Response
Code Unique Code Description
204 The scan has been successfully deleted
500 1030 Occurs when an attempt is made to delete a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been deleted successfully or not.

Response Sample
String

POST /scanner/scanprofiles/{profileid}/start
Initiates a request to start an already created scanProfile.

The request takes one parameter, scanProfileId, and one optional parameter, ips.
To get a list of scanProfileIds, simply get a list of the current scan profiles by
initiating a 'profiles' request on the scanner endpoint. The scanProfileId, is
validated and an appropriate message returned.
Table 922. POST /scanner/scanprofiles/{profileid}/start resource details
MIME Type
text/plain

480 QRadar API Reference Guide

 Table 923. POST /scanner/scanprofiles/{profileid}/start request parameter details
MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain The unique id of the
scan profile we want to
start

Table 924. POST /scanner/scanprofiles/{profileid}/start request body details

Parameter Data Type MIME Type Description Sample
ips JSON application/json null null

Table 925. POST /scanner/scanprofiles/{profileid}/start response codes

HTTP Response
Code Unique Code Description
202 The scan has been successfully started
403 1000 Occurs if the user does not have permission to start
a scan, or the scan is in progress
500 1030 Occurs when an attempt is made to start a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been started successfully or not.

Response Sample
String

Services endpoints
Use the references for REST API V8.0 services endpoints.

POST /services/dig_lookups
Creates a new DIG lookup.

Creates a new DIG lookup. Lookup completes in the background.

Table 926. POST /services/dig_lookups resource details
MIME Type
application/json

Table 927. POST /services/dig_lookups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
IP query Required String text/plain Used to retrieve the
DIG lookup.

Chapter 6. REST API V8.0 References 481

 Table 927. POST /services/dig_lookups request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 928. POST /services/dig_lookups response codes

HTTP Response
Code Unique Code Description
201 The DIG lookup was created successfully.
500 1020 An internal server error occurred during the creation
of the DIG lookup.

Response Description

A DIG Lookup object, and the location header that is set to the task status URL
"/services/dig_lookups/{dig_lookup_id}". A DIG Lookup object contains the
following fields:
v id - Long - The ID of the DIG lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the DIG lookup when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /services/dig_lookups/{dig_lookup_id}
Retrieves the DIG lookup status.

482 QRadar API Reference Guide

Retrieves the DIG Lookup status and result. The result is included if the lookup
completed.
Table 929. GET /services/dig_lookups/{dig_lookup_id} resource details
MIME Type
application/json

Table 930. GET /services/dig_lookups/{dig_lookup_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
dig_lookup_id path Required Number text/plain Required - The ID of the
(Integer) Dig lookup to be
retrieved.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 931. GET /services/dig_lookups/{dig_lookup_id} response codes

HTTP Response
Code Unique Code Description
200 The DIG lookup Status was retrieved.
404 1002 The DIG lookup status does not exist.
500 1020 An error occurred during the attempt to retrieve the
DIG lookup status.

Response Description

A DIG Lookup object, and the location header that is set to the task status URL
"/services/dig_lookups/{dig_lookup_id}". A DIG Lookup object contains the
following fields:
v id - Long - The ID of the DIG lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the DIG lookup when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,

Chapter 6. REST API V8.0 References 483

 PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /services/dns_lookups
Creates a new DNS lookup.

Creates a new DNS lookup. Lookup completes in the background.

Table 932. POST /services/dns_lookups resource details
MIME Type
application/json

Table 933. POST /services/dns_lookups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
IP query Required String text/plain Used to retrieve the
DNS lookup.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 934. POST /services/dns_lookups response codes

HTTP Response
Code Unique Code Description
201 The DNS lookup was successfully created.
500 1020 An internal server error occurred during the creation
of the DNS lookup.

Response Description

A DNS Lookup object and the location header set to the task status URL
"/services/dns_lookups/{dns_lookup_id}". A DNS status object contains the
following fields:
v id - Long - The ID of the DNS lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the DNS lookup when it is complete.
v status - String - The current state of the task.

484 QRadar API Reference Guide

 Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /services/dns_lookups/{dns_lookup_id}
Retrieves the DNS lookup status.

Retrieves the DNS Lookup status. The result is included if the lookup completes.
Table 935. GET /services/dns_lookups/{dns_lookup_id} resource details
MIME Type
application/json

Table 936. GET /services/dns_lookups/{dns_lookup_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
dns_lookup_id path Required Number text/plain Required - The ID of the
(Integer) DNS lookup to be
retrieved.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 937. GET /services/dns_lookups/{dns_lookup_id} response codes

HTTP Response
Code Unique Code Description
200 The DNS lookup status was retrieved.
404 1002 The DNS lookup status does not exist.
500 1020 An error occurred during the attempt to retrieve the
DNS lookup status.

Chapter 6. REST API V8.0 References 485

 Response Description

A DNS Lookup object, and the location header set to the task status URL
"/services/dns_lookups/{dns_lookup_id}". A DNS status object contains the
following fields:
v id - Long - The ID of the DNS lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the DNS lookup when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /services/port_scans
Creates a new PortScans lookup. Port scan completes in the background.

Creates a new port scan lookup. This endpoint is not available on SaaS systems. It
return a 404 error.
Table 938. POST /services/port_scans resource details
MIME Type
application/json

Table 939. POST /services/port_scans request parameter details

MIME
Parameter Type Optionality Data Type Type Description
IP query Required String text/plain Used to retrieve the
port scan lookup.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

486 QRadar API Reference Guide

 Table 940. POST /services/port_scans response codes
HTTP Response
Code Unique Code Description
201 he PortScans lookup was created successfully.
500 1020 An internal server error occurred during the creation
of the port scan lookup.

Response Description

A port scan object and the location header set to the task status URL
"/services/port_scans/{port_scan_id}". A port scan status object contains the
following fields:
v id - Long - The ID of the port scan.
v ip - String - The IP address to be investigated.
v message - String - The result of the port scan when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /services/port_scans/{port_scan_id}
Retrieves the port scan status. The result is included if the port scan completes.

Retrieves the port scan status.

Table 941. GET /services/port_scans/{port_scan_id} resource details
MIME Type
application/json

Table 942. GET /services/port_scans/{port_scan_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
port_scan_id path Required Number text/plain Required - The ID of the
(Integer) port scan to be retrieved.

Chapter 6. REST API V8.0 References 487

 Table 942. GET /services/port_scans/{port_scan_id} request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 943. GET /services/port_scans/{port_scan_id} response codes

HTTP Response
Code Unique Code Description
200 The port scan status was retrieved.
404 1002 The port scan sStatus does not exist.
500 1020 An error occurred during the attempt to retrieve the
port scan status.

Response Description

A port scan object and the location header set to the task status url
"/services/port_scans/{port_scan_id}". A port scan status object contains the
following fields:
v id - Long - The ID of the port scan.
v message - String - The result of the port scan when complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /services/whois_lookups
Creates a new WHOIS lookup.

Creates a new WHOIS lookup. Lookup completes in the background.

488 QRadar API Reference Guide

Table 944. POST /services/whois_lookups resource details
MIME Type
application/json

Table 945. POST /services/whois_lookups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
IP query Required String text/plain Used to retrieve the
WHOIS lookup.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 946. POST /services/whois_lookups response codes

HTTP Response
Code Unique Code Description
201 The WHOIS lookup was created successfully.
500 1020 An internal server error occurred during the creation
of the WHOIS lookup.

Response Description

A WHOIS lookup object, and the location header that is set to the task status URL
"/services/whois_lookups/{whois_lookup_id}". A WHOIS status object contains
the following fields:
v id - Long - The ID of the WHOIS lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the WHOIS lookup when complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

Chapter 6. REST API V8.0 References 489

 PROCESSING,
QUEUED,
RESUMING>"
}

GET /services/whois_lookups/{whois_lookup_id}
Retrieves the WHOIS lookup status.

Retrieves the WHOIS lookup status. The result is included if the lookup completes.
Table 947. GET /services/whois_lookups/{whois_lookup_id} resource details
MIME Type
application/json

Table 948. GET /services/whois_lookups/{whois_lookup_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
whois_lookup_id path Required Number text/plain Required - The ID of the
(Integer) WHOIS lookup to be
retrieved.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 949. GET /services/whois_lookups/{whois_lookup_id} response codes

HTTP Response
Code Unique Code Description
200 The WHOIS lookup status was retrieved.
404 1002 The WHOIS lookup status does not exist.
500 1020 An error occurred during the attempt to retrieve the
WHOIS lookup status.

Response Description

A WHOIS lookup object, and the location header that is set to the task status URL
"/services/whois_lookups/{whois_lookup_id}". A WHOIS status object contains
the following fields:
v id - Long - The ID of the WHOIS lookup.
v ip - String - The IP address to be investigated.
v message - String - The result of the WHOIS lookup when it is complete.
v status - String - The current state of the task.

Response Sample
{
"id": 42,
"ip": "String",
"message": "String",

490 QRadar API Reference Guide

 "status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

SIEM endpoints
Use the references for REST API V8.0 SIEM endpoints.

GET /siem/local_destination_addresses
Retrieve a list offense local destination addresses currently in the system.
Table 950. GET /siem/local_destination_addresses resource details
MIME Type
application/json

Table 951. GET /siem/local_destination_addresses request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 6. REST API V8.0 References 491

 Table 952. GET /siem/local_destination_addresses response codes
HTTP Response
Code Unique Code Description
200 The local destination address list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the local destination
address list was being retrieved.

Response Description

An array of local destination address objects. A local destination address object

contains the following fields:
v id - Number - The ID of the destination address.
v local_destination_ip - String - The IP address.
v magnitude - Number - The magnitude of the destination address.
v network - String - The network of the destination address.
v offense_ids - Array of Numbers - List of offense IDs the destination address is
part of.
v source_address_ids - Array of Numbers - List of source address IDs associated
with the destination address.
v event_flow_count - Number - The number of events and flows that are
associated with the destination address.
v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
[
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_ip": "String",
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_address_ids": [
42
]
}
]

492 QRadar API Reference Guide

GET /siem/local_destination_addresses/
{local_destination_address_id}
Retrieve an offense local destination address.
Table 953. GET /siem/local_destination_addresses/{local_destination_address_id} resource
details
MIME Type
application/json

Table 954. GET /siem/local_destination_addresses/{local_destination_address_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
local_destination_address_id path Required Number text/plain Required - The ID of the
(Integer) local destination address
to retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 955. GET /siem/local_destination_addresses/{local_destination_address_id} response

codes
HTTP Response
Code Unique Code Description
200 The local destination was retrieved.
404 1002 No local destination address was found for the
provided local_destination_address_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the local destination
address was being retrieved.

Response Description

A local destination address object. A local destination address object contains the
following fields:
v id - Number - The ID of the destination address.
v local_destination_ip - String - The IP address.
v magnitude - Number - The magnitude of the destination address.
v network - String - The network of the destination address.
v offense_ids - Array of Numbers - List of offense IDs the destination address is
part of.
v source_address_ids - Array of Numbers - List of source address IDs associated
with the destination address.
v event_flow_count - Number - The number of events and flows that are
associated with the destination address.

Chapter 6. REST API V8.0 References 493

 v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_ip": "String",
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_address_ids": [
42
]
}

GET /siem/offense_closing_reasons
Retrieve a list of all offense closing reasons.
Table 956. GET /siem/offense_closing_reasons resource details
MIME Type
application/json

Table 957. GET /siem/offense_closing_reasons request parameter details

MIME
Parameter Type Optionality Data Type Type Description
include_reserved query Optional Boolean text/plain Optional - If true,
reserved closing
reasons are included in
the response. Defaults
to false. Reserved
closing reasons cannot
be used to close an
offense.
include_deleted query Optional Boolean text/plain Optional - If true,
deleted closing reasons
are included in the
response. Defaults to
false. Deleted closing
reasons cannot be used
to close an offense.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

494 QRadar API Reference Guide

 Table 957. GET /siem/offense_closing_reasons request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict
the number of elements
that are returned in the
list to a specified
range. The list is
indexed starting at
zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 958. GET /siem/offense_closing_reasons response codes

HTTP Response
Code Unique Code Description
200 The closing reasons list was retrieved.
500 1020 An error occurred while the closing reasons list was
being retrieved.

Response Description

An array of ClosingReason objects. A closing reason object contains the following

fields:
v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted
closing reasons cannot be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved.
Reserved closing reasons cannot be used to close an offense.

Response Sample
[
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}
]

POST /siem/offense_closing_reasons
Create an offense closing reason.
Table 959. POST /siem/offense_closing_reasons resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 495

 Table 960. POST /siem/offense_closing_reasons request parameter details
MIME
Parameter Type Optionality Data Type Type Description
reason query Required String text/plain Required - The text of
the offense closing
reason must be 5 - 60
characters in length.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 961. POST /siem/offense_closing_reasons response codes

HTTP Response
Code Unique Code Description
201 The closing reason was created.
409 1004 The closing reason already exists.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to create the
closing reason.

Response Description

A ClosingReason object. A closing reason object contains the following fields:

v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted
closing reasons cannot be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved.
Reserved closing reasons cannot be used to close an offense.

Response Sample
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}

GET /siem/offense_closing_reasons/{closing_reason_id}
Retrieve an offense closing reason.
Table 962. GET /siem/offense_closing_reasons/{closing_reason_id} resource details
MIME Type
application/json

496 QRadar API Reference Guide

 Table 963. GET /siem/offense_closing_reasons/{closing_reason_id} request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
closing_reason_id path Required Number text/plain Required - The closing
(Integer) reason ID.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 964. GET /siem/offense_closing_reasons/{closing_reason_id} response codes

HTTP Response
Code Unique Code Description
200 The closing reason was retrieved.
404 1002 No closing reason was found for the provided
closing_reason_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
closing reason.

Response Description
A ClosingReason object. A closing reason object contains the following fields:
v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted
closing reasons cannot be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved.
Reserved closing reasons cannot be used to close an offense.

Response Sample
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}

GET /siem/offense_saved_search_delete_tasks/{task_id}
Retrieves the delete the offense saved search task status.

Retrieves the delete offense saved search task status.

Chapter 6. REST API V8.0 References 497

 Table 965. GET /siem/offense_saved_search_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 966. GET /siem/offense_saved_search_delete_tasks/{task_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 967. GET /siem/offense_saved_search_delete_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/siem/offense_saved_search_delete_tasks/{task_id}". A Delete Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

498 QRadar API Reference Guide

 Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
}

GET /siem/offense_saved_search_dependent_tasks/{task_id}
Retrieves the dependent the offense saved search task status.

Retrieves the dependent offense saved search task status.

Table 968. GET /siem/offense_saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 969. GET /siem/offense_saved_search_dependent_tasks/{task_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 970. GET /siem/offense_saved_search_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Chapter 6. REST API V8.0 References 499

 Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/siem/offense_saved_search_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,

500 QRadar API Reference Guide

 CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /siem/offense_saved _search_dependent_tasks/{task_id}

Cancels the dependent the offense saved search task.

Cancels the dependent offense saved search task.

Table 971. POST /siem/offense_saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 501

 Table 972. POST /siem/offense_saved_search_dependent_tasks/{task_id} request
parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 973. POST /siem/offense_saved_search_dependent_tasks/{task_id} request body

details
MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Table 974. POST /siem/offense_saved_search_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/siem/offense_saved_search_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:

502 QRadar API Reference Guide

v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state the sub-task is in.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,

Chapter 6. REST API V8.0 References 503

 PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /siem/offense_saved _search_dependent_tasks/{task_id}/

results
Retrieves the offense saved search dependent task results.

Retrieves the offense saved search dependent task results.

Table 975. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results resource
details
MIME Type
application/json

504 QRadar API Reference Guide

Table 976. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results request
parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 977. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results response

codes
HTTP Response
Code Unique Code Description
200 The offense saved search dependents were retrieved
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
offense saved searches.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has
permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:

Chapter 6. REST API V8.0 References 505

 ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /siem/offense_saved_search_groups
Retrieves a list of offense saved search groups.

Retrieves a list of offense saved search groups.

Table 978. GET /siem/offense_saved_search_groups resource details
MIME Type
application/json

506 QRadar API Reference Guide

Table 979. GET /siem/offense_saved_search_groups request parameter details
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 980. GET /siem/offense_saved_search_groups response codes

HTTP Response
Code Unique Code Description
200 The offense saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the
offense saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Chapter 6. REST API V8.0 References 507

 Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /siem/offense_saved_search_groups/{group_id}
Retrieves an offense saved search group.

Retrieves an offense saved search group.

Table 981. GET /siem/offense_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 982. GET /siem/offense_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

508 QRadar API Reference Guide

Table 983. GET /siem/offense_saved_search_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
200 The offense saved search group was retrieved.
404 1002 The offense saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the
offense saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Chapter 6. REST API V8.0 References 509

 POST /siem/offense_saved_search_groups/{group_id}
Updates the owner of an offense saved search group.

Updates the owner of an offense saved search group.

Table 984. POST /siem/offense_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 985. POST /siem/offense_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 986. POST /siem/offense_saved_search_groups/{group_id} request body details

MIME
Parameter Data Type Type Description Sample
group Object application/ Required - Group object { "child_groups": [ 42 ], "child_items": [ "String"
json with the owner set to a ], "description": "String", "id": 42, "level": 42,
valid deployed user. "name": "String", "owner": "String", "parent_id":
42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Table 987. POST /siem/offense_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The offense saved search group was updated.
404 1002 The offense saved search group does not exist.
409 1004 The provided user does not have the required
capabilities to own the offense saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
offense saved search group.

510 QRadar API Reference Guide

 Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /siem/offense_saved_search_groups/{group_id}
Deletes an offense saved search group.

Deletes an offense saved search group.

Table 988. DELETE /siem/offense_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Chapter 6. REST API V8.0 References 511

 Table 989. DELETE /siem/offense_saved_search_groups/{group_id} request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Table 990. DELETE /siem/offense_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
204 The offense saved search group has been deleted.
404 1002 The offense saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
offense saved search group.

Response Description

Response Sample

GET /siem/offense_saved_searches
Retrieves a list of offense saved searches.

Retrieves a list of offense saved searches.

Table 991. GET /siem/offense_saved_searches resource details
MIME Type
application/json

Table 992. GET /siem/offense_saved_searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

512 QRadar API Reference Guide

 Table 992. GET /siem/offense_saved_searches request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 993. GET /siem/offense_saved_searches response codes

HTTP Response
Code Unique Code Description
200 The offense saved searches were retrieved.
500 1020 An error occurred during the attempt to retrieve the
offense saved searches.

Response Description

An array of offense saved search objects. An offense saved search object contains
the following fields:
v id - Long - The ID of the offense saved search.
v name - String - The name of the offense saved search.
v owner - String - The owner of the offense saved search.

Response Sample
[
{
"id": 42,
"name": "String",
"owner": "String"
}
]

GET /siem/offense_saved_searches/{id}
Retrieves an offense saved search.

Retrieves an offense saved search.

Table 994. GET /siem/offense_saved_searches/{id} resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 513

 Table 995. GET /siem/offense_saved_searches/{id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 996. GET /siem/offense_saved_searches/{id} response codes

HTTP Response
Code Unique Code Description
200 The offense saved search was retrieved.
404 1002 The offense saved search does not exist.
500 1020 An error occurred during the attempt to retrieve the
offense saved search.

Response Description

The offense saved search after it has been retrieved. An offense saved search object
contains the following fields:
v id - Long - The ID of the offense saved search.
v name - String - The name of the offense saved search.
v owner - String - The owner of the offense saved search.

Response Sample
{
"id": 42,
"name": "String",
"owner": "String"
}

514 QRadar API Reference Guide

POST /siem/offense_saved_searches/{id}
Updates the offense saved search owner only.

Updates the offense saved search owner only.

Table 997. POST /siem/offense_saved_searches/{id} resource details
MIME Type
application/json

Table 998. POST /siem/offense_saved_searches/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this
parameter to restrict
the number of
elements that are
returned in the list to a
specified range. The
list is indexed starting
at zero.
filter header Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 999. POST /siem/offense_saved_searches/{id} request body details

MIME
Parameter Data Type Type Description Sample
saved_search Object application/ null { "id": "1", "name":
json "String", "is_shared":
true, "owner": "String"
}

Table 1000. POST /siem/offense_saved_searches/{id} response codes

HTTP Response
Code Unique Code Description
200 The offense saved search was updated.

Chapter 6. REST API V8.0 References 515

 Table 1000. POST /siem/offense_saved_searches/{id} response codes (continued)
HTTP Response
Code Unique Code Description
403 1009 You do not have the required capabilities to update
the offense saved search.
404 1002 The offense saved search does not exist.
409 1004 The provided user does not have the required
capabilities to own the offense saved search.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
offense saved search.

Response Description

The offense saved search after it is updated. An offense saved search object
contains the following fields:
v id - Long - The ID of the offense saved search.
v name - String - The name of the offense saved search.
v owner - String - The owner of the offense saved search.

Response Sample
{
"id": 42,
"name": "String",
"owner": "String"
}

DELETE /siem/offense_saved_searches/{id}
Deletes an offense saved search. To ensure safe deletion, a dependency check is
carried out. This check might take some time. An asynchronous task to do is
started for this check.

Deletes an offense saved search. To ensure safe deletion, a dependency check is

carried out. This check might take some time. An asynchronous task to do is
started for this check.
Table 1001. DELETE /siem/offense_saved_searches/{id} resource details
MIME Type
application/json

Table 1002. DELETE /siem/offense_saved_searches/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

516 QRadar API Reference Guide

Table 1002. DELETE /siem/offense_saved_searches/{id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1003. DELETE /siem/offense_saved_searches/{id} response codes

HTTP Response
Code Unique Code Description
202 The offense saved search delete command was
accepted and is in progress.
403 1009 You do not have the required capabilities to delete
the offense saved search.
404 1002 The offense saved search does not exist.
500 1020 An error occurred during the attempt to delete the
offense saved search.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/siem/offense_saved_search_delete_tasks/{task_id}". A Delete Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.

Chapter 6. REST API V8.0 References 517

 v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /siem/offense_saved_searches/{id}/dependents
Retrieves the objects that depend on an offense saved search.

Retrieves the objects that depend on an offense saved search.

Table 1004. GET /siem/offense_saved_searches/{id}/dependents resource details
MIME Type
application/json

Table 1005. GET /siem/offense_saved_searches/{id}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

518 QRadar API Reference Guide

Table 1006. GET /siem/offense_saved_searches/{id}/dependents response codes
HTTP Response
Code Unique Code Description
202 The offense saved search dependents retrieval was
accepted and is in progress.
404 1002 The offense saved search does not exist.
500 1020 An error occurred during the attempt to initiate the
offense saved search dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url
"/api/siem/offense_saved_search_dependents_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Chapter 6. REST API V8.0 References 519

 Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,

520 QRadar API Reference Guide

 FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /siem/offenses
Retrieve a list of offenses currently in the system.

Retrieve a list of offenses currently in the system.

Table 1007. GET /siem/offenses resource details
MIME Type
application/json

Table 1008. GET /siem/offenses request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 1009. GET /siem/offenses response codes

HTTP Response
Code Unique Code Description
200 The offense list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the offense list was being
retrieved.

Chapter 6. REST API V8.0 References 521

 Response Description

An array of Offense objects. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense. Filtering is not supported
on this field.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the
offense.
v category_count - Number - The number of event categories that are associated
with the offense.
v policy_category_count - Number - The number of policy event categories that
are associated with the offense.
v security_category_count - Number - The number of security event categories
that are associated with the offense.
v close_time - Number - The number of milliseconds since epoch when the
offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason
the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are
associated with the offense.
v source_network - String - The source network that is associated with the offense.
Filtering is not supported on this field.
v device_count - Number - The number of devices that are associated with the
offense.
v event_count - Number - The number of events that are associated with the
offense.
v flow_count - Number - The number of flows that are associated with the
offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when
the offense was last updated.
v local_destination_count - Number - The number of local destinations that are
associated with the offense.
v offense_source - String - The source of the offense. Filtering is not supported on
this field.
v offense_type - Number - A number that represents the offense type. Use GET
/siem/offense_types to retrieve the list.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that
are associated wit the offense.
v source_count - Number - The number of sources that are associated with the
offense.

522 QRadar API Reference Guide

 v start_time - Number - The number of milliseconds since epoch when the offense
was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or
"CLOSED". The following operators are not supported when you filter on this
field: "<", ">", "<=", ">=", "BETWEEN".
v username_count - The number of usernames that are associated with the
offense.
v source_address_ids - Array of numbers -The source address IDs that are
associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination
address IDs that are associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is
associated with a single domain.

Response Sample
[{"credibility": 42,
"source_address_ids": [42],
"remote_destination_count": 42,
"local_destination_address_ids": [42],
"assigned_to": "String",
"local_destination_count": 42,
"source_count": 42,
"start_time": 42,
"id": 42,
"destination_networks": ["String"],
"inactive": true,
"protected": true,
"policy_category_count": 42,
"description": "String",
"category_count": 42,
"domain_id": 42,
"relevance": 42,
"device_count": 42,
"security_category_count": 42,
"flow_count": 42,
"event_count": 42,
"offense_source": "String",
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"magnitude": 42,
"severity": 42,
"username_count": 42,
"closing_user": "String",
"follow_up": true,
"closing_reason_id": 42,
"close_time": 42,
"source_network": "String",
"last_updated_time": 42,
"categories": ["String"],
"offense_type": 42
}]

GET /siem/offenses/{offense_id}
Retrieve an offense structure that describes properties of an offense

Retrieve an offense structure that describes properties of an offense

Table 1010. GET /siem/offenses/{offense_id} resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 523

 Table 1011. GET /siem/offenses/{offense_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1012. GET /siem/offenses/{offense_id} response codes

HTTP Response
Code Unique Code Description
200 The offense was retrieved.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the offense was being
retrieved.

Response Description

An Offense object. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the
offense.
v category_count - Number - The number of event categories that are associated
with the offense.
v policy_category_count - Number - The number of policy event categories that
are associated with the offense.
v security_category_count - Number - The number of security event categories
that are associated with the offense.
v close_time - Number - The number of milliseconds since epoch when the
offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason
the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.

524 QRadar API Reference Guide

v destination_networks - Array of strings - The destination networks that are
associated with the offense.
v source_network - String - The source network that is associated with the offense.
v device_count - Number - The number of devices that are associated with the
offense.
v event_count - Number - The number of events that are associated with the
offense.
v flow_count - Number - The number of flows that are associated with the
offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when
the offense was last updated.
v local_destination_count - Number - The number of local destinations that are
associated with the offense.
v offense_source - String - The source of the offense.
v offense_type - Number - A number that represents the offense type. Use GET
/siem/offense_types to retrieve the list.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that
are associated wit the offense.
v source_count - Number - The number of sources that are associated with the
offense.
v start_time - Number - The number of milliseconds since epoch when the offense
was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or
"CLOSED".
v username_count - The number of usernames that are associated with the
offense.
v source_address_ids - Array of numbers -The source address IDs that are
associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination
address IDs that are associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is
associated with a single domain.

Response Sample
{
"assigned_to": "String",
"categories": [
"String"
],
"category_count": 42,
"close_time": 42,
"closing_reason_id": 42,
"closing_user": "String",
"credibility": 42,
"description": "String",
"destination_networks": [
"String"
],
"device_count": 42,
"domain_id": 42,
"event_count": 42,

Chapter 6. REST API V8.0 References 525

 "flow_count": 42,
"follow_up": true,
"id": 42,
"inactive": true,
"last_updated_time": 42,
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"magnitude": 42,
"offense_source": "String",
"offense_type": 42,
"policy_category_count": 42,
"protected": true,
"relevance": 42,
"remote_destination_count": 42,
"security_category_count": 42,
"severity": 42,
"source_address_ids": [
42
],
"source_count": 42,
"source_network": "String",
"start_time": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"username_count": 42
}

GET /siem/offenses/{offense_id}/notes
Retrieve a list of notes for an offense.
Table 1013. GET /siem/offenses/{offense_id}/notes resource details
MIME Type
application/json

Table 1014. GET /siem/offenses/{offense_id}/notes request parameter details

MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID to retrieve the notes
for.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

526 QRadar API Reference Guide

 Table 1014. GET /siem/offenses/{offense_id}/notes request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1015. GET /siem/offenses/{offense_id}/notes response codes

HTTP Response
Code Unique Code Description
200 The note list was retrieved.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the note list was being
retrieved.

Response Description

An array of Note objects. A Note object contains the following fields:

v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note
was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
[
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}
]

GET /siem/offenses/{offense_id}/notes/{note_id}
Retrieve a note for an offense.
Table 1016. GET /siem/offenses/{offense_id}/notes/{note_id} resource details
MIME Type
application/json

Table 1017. GET /siem/offenses/{offense_id}/notes/{note_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID to retrieve the note
from.

Chapter 6. REST API V8.0 References 527

 Table 1017. GET /siem/offenses/{offense_id}/notes/{note_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
note_id path Required Number text/plain Required - The note ID.
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1018. GET /siem/offenses/{offense_id}/notes/{note_id} response codes

HTTP Response
Code Unique Code Description
200 The note was retrieved.
404 1002 No offense was found for the provided offense_id.
404 1003 No note was found for the provided note_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
note.

Response Description
The Note object for the note ID. A Note object contains the following fields:
v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note
was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}

POST /siem/offenses/{offense_id}/notes
Create a note on an offense.
Table 1019. POST /siem/offenses/{offense_id}/notes resource details
MIME Type
application/json

528 QRadar API Reference Guide

 Table 1020. POST /siem/offenses/{offense_id}/notes request parameter details
MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID to add the note to.
note_text query Required String text/plain Required - The note
text.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1021. POST /siem/offenses/{offense_id}/notes response codes

HTTP Response
Code Unique Code Description
201 The note was created.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to create the
note.

Response Description

The Note object that was created. A Note object contains the following fields:
v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note
was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}

POST /siem/offenses/{offense_id}
Update an offense.
Table 1022. POST /siem/offenses/{offense_id} resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 529

 Table 1023. POST /siem/offenses/{offense_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The ID of
(Integer) the offense to update.
protected query Optional Boolean text/plain Optional - Set to true
to protect the offense.
follow_up query Optional Boolean text/plain Optional - Set to true
to set the follow up
flag on the offense.
status query Optional String text/plain Optional - The new
status for the offense.
Set to one of: OPEN,
HIDDEN, CLOSED.
When the status of an
offense is being set to
CLOSED, a valid
closing_reason_id must
be provided. To hide
an offense, use the
HIDDEN status. To
show a previously
hidden offense, use the
OPEN status.
closing_reason_id query Optional Number text/plain Optional - The ID of a
(Integer) closing reason. You
must provide a valid
closing_reason_id
when you close an
offense.
assigned_to query Optional String text/plain Optional - A user to
assign the offense to.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1024. POST /siem/offenses/{offense_id} response codes

HTTP Response
Code Unique Code Description
200 The offense was updated.
403 1009 User does not have the required capability to assign an
offense.
404 1002 No offense was found for the provided offense_id.
409 1008 Request cannot be completed due to the state of the
offense.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the offense was being updated.

530 QRadar API Reference Guide

Response Description

An updated Offense object. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the
offense.
v category_count - Number - The number of event categories that are associated
with the offense.
v policy_category_count - Number - The number of policy event categories that
are associated with the offense.
v security_category_count - Number - The number of security event categories
that are associated with the offense.
v close_time - Number - The number of milliseconds since epoch when the
offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason
the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are
associated with the offense.
v source_network - String - The source network that is associated with the offense.
v device_count - Number - The number of devices that are associated with the
offense.
v event_count - Number - The number of events that are associated with the
offense.
v flow_count - Number - The number of flows that are associated with the
offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when
the offense was last updated.
v local_destination_count - Number - The number of local destinations that are
associated with the offense.
v offense_source - String - The source of the offense.
v offense_type - Number - A number that represents the offense type. See the
Offense Type Codes table for the code to offense type mapping.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that
are associated wit the offense.
v source_count - Number - The number of sources that are associated with the
offense.
v start_time - Number - The number of milliseconds since epoch when the offense
was started.

Chapter 6. REST API V8.0 References 531

 v status - String - The status of the offense. One of "OPEN", "HIDDEN", or
"CLOSED".
v username_count - The number of usernames that are associated with the
offense.
v source_address_ids - Array of numbers -The source address IDs that are
associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination
address IDs that are associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is
associated with a single domain.
Table 1025. Offense Type Codes
Code Offense Type
0 Source IP
1 Destination IP
2 Event Name
3 Username
4 Source MAC Address
5 Destination MAC Address
6 Log Source
7 Hostname
8 Source Port
9 Destination Port
10 Source IPv6
11 Destination IPv6
12 Source ASN
13 Destination ASN
14 Rule
15 App Id
18 Scheduled Search

Response Sample
{
"assigned_to": "String",
"categories": [
"String"
],
"category_count": 42,
"close_time": 42,
"closing_reason_id": 42,
"closing_user": "String",
"credibility": 42,
"description": "String",
"destination_networks": [
"String"
],
"device_count": 42,
"domain_id": 42,
"event_count": 42,
"flow_count": 42,
"follow_up": true,

532 QRadar API Reference Guide

 "id": 42,
"inactive": true,
"last_updated_time": 42,
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"magnitude": 42,
"offense_source": "String",
"offense_type": 42,
"policy_category_count": 42,
"protected": true,
"relevance": 42,
"remote_destination_count": 42,
"security_category_count": 42,
"severity": 42,
"source_address_ids": [
42
],
"source_count": 42,
"source_network": "String",
"start_time": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"username_count": 42
}

GET /siem/offense_types
Retrieve all the Offense Types

Retrieve all Offense Types

Table 1026. GET /siem/offense_types resource details
MIME Type
application/json

Table 1027. GET /siem/offense_types request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 533

 Table 1027. GET /siem/offense_types request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
sort query Optional String text/plain Optional - This
parameter is used to
sort the elements in a
list.

Table 1028. GET /siem/offense_types response codes

HTTP Response
Code Unique Code Description
200 The requested offense types list has been retrieved.
422 1005 A request parameter is not valid.
422 1012 The selected field cannot be used for sorting or it
does not exist.
500 1020 An error occurred while attempting to retrieve the
offense type list.

Response Description

The Offense Types that exist at the moment. Offense types may include custom
flow/event properties only if they have been selected as part of a rule action or
rule response limiter.
v id - Number - The ID of the offense type and what is presented in the offense's
offense_type.
v property_name - String - The name of the event or flow property represented by
this offense type for flow or event properties or the unique identifier for custom
flow or event properties.
v name - String - The offense type's name.
v database_type - String - Database where this type is present. Possible values are:
EVENTS, FLOWS, or COMMON (if it belongs to both events and flows)
v custom - boolean - True if the offense type is based on a custom flow or event
property.
The following field can be sorted on: id.

Response Sample
[
{
"custom": true,
"database_type": "String <one of: EVENTS,
FLOWS,
COMMON>",
"id": 42,

534 QRadar API Reference Guide

 "name": "String",
"property_name": "String"
}
]

GET /siem/offense_types/{offense_type_id}
Retrieve an offense type structure that describes the properties of an offense type.

Retrieve an Offense Type

Table 1029. GET /siem/offense_types/{offense_type_id} resource details
MIME Type
application/json

Table 1030. GET /siem/offense_types/{offense_type_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_type_id path Required Number text/plain Required - int - The
(Integer) offense type id.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 1031. GET /siem/offense_types/{offense_type_id} response codes

HTTP Response
Code Unique Code Description
200 The requested offense type has been retrieved.
404 1002 The requested offense type cannot be found.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
requested offense type.

Response Description

The Offense Type with the entered offense_type_id.

v id - Number - The ID of the offense type and what is presented in the offense's
offense_type.
v property_name - String - The name of the of the event or flow property
represented by this offense type for flow or event properties or the unique
identifier for custom flow or event properties.
v name - String - The offense type's name.
v database_type - String - Database where this type is present. Possible values are:
EVENTS, FLOWS, or COMMON (if it belongs to both events and flows)
v custom - boolean - True if the offense type is based on a custom flow or event
property.

Chapter 6. REST API V8.0 References 535

 Response Sample
{
"custom": true,
"database_type": "String <one of: EVENTS,
FLOWS,
COMMON>",
"id": 42,
"name": "String",
"property_name": "String"
}

GET /siem/source_addresses
Retrieve a list offense source addresses currently in the system.
Table 1032. GET /siem/source_addresses resource details
MIME Type
application/json

Table 1033. GET /siem/source_addresses request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1034. GET /siem/source_addresses response codes

HTTP Response
Code Unique Code Description
200 The source address list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the source address list was
being retrieved.

536 QRadar API Reference Guide

 Response Description

An array of source address objects. A source address object contains the following
fields:
v id - Number - The ID of the source.
v source_ip - String - The IP address.
v magnitude - Number - The magnitude of the source address.
v network - String - The network of the source address.
v offense_ids - Array of Numbers - List of offense IDs the source is part of.
v local_destination_address_ids - Array of Numbers - List of local destination
address IDs associated with the source address.
v event_flow_count - Number - The number of events and flows that are
associated with the source.
v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
[
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_address_ids": [
42
],
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_ip": "String"
}
]

GET /siem/source_addresses/{source_address_id}
Retrieve an offense source address.
Table 1035. GET /siem/source_addresses/{source_address_id} resource details
MIME Type
application/json

Table 1036. GET /siem/source_addresses/{source_address_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
source_address_id path Required Number text/plain Required - The ID of the
(Integer) source address to
retrieve.

Chapter 6. REST API V8.0 References 537

 Table 1036. GET /siem/source_addresses/{source_address_id} request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 1037. GET /siem/source_addresses/{source_address_id} response codes

HTTP Response
Code Unique Code Description
200 The source address was retrieved.
404 1002 No source address was found for the provided
source_address_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the source address was
being retrieved.

Response Description

A source address object. A source address object contains the following fields:
v id - Number - The ID of the source.
v source_ip - String - The IP address.
v magnitude - Number - The magnitude of the source address.
v network - String - The network of the source address.
v offense_ids - Array of Numbers - List of offense IDs the source is part of.
v local_destination_address_ids - Array of Numbers - List of local destination
address IDs associated with the source address.
v event_flow_count - Number - The number of events and flows that are
associated with the source.
v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_address_ids": [
42
],

538 QRadar API Reference Guide

 "magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_ip": "String"
}

Staged configuration endpoints

Use the references for REST API V7.0 staged configuration endpoints.

GET /staged_config/deploy_status
Retrieves the status of a deploy in progress.

Retrieves the status of a deploy in progress.

Table 1038. GET /staged_config/deploy_status resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 1039. GET /staged_config/deploy_status response codes
HTTP Response
Code Unique Code Description
200 The event Ariel saved search group was updated.
500 1020 An error occurred during the attempt to retrieve the
status of the running deploy,

Response Description

The deploy status object. A deploy status object contains the following fields:
v initiated_by - String - The name of the user who initiated the deploy.
v initiated_from - String - The hostname from where the deploy was initiated.
v type - String - The type of deploy: FULL or INCREMENTAL.
v status - String - The status of the deploy: UNKNOWN, START, DONE.
v hosts - Map of < String, List of String > - A map of status states and a list of
hosts.
v error_message - String - The deployment error message.
v has_errors - Boolean - True if the deploy has encountered an error.
v percent_complete - Integer - The percentage of completion of the deploy. ( 0 -
100 )

Response Sample
{
"hosts": [
{
"host_status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>",
"ip": "String",

Chapter 6. REST API V8.0 References 539

 "status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>"
}
],
"initiated_by": "String",
"initiated_from": "String",
"percent_complete": 42,
"status": "String <one of: INITIALIZING,
IN_PROGRESS,
COMPLETE>",
"type": "String <one of: INCREMENTAL, FULL>"
}

POST /staged_config/deploy_status
Executes a deploy.

Executes a deploy.
Table 1040. POST /staged_config/deploy_status resource details
MIME Type
application/json

Table 1041. POST /staged_config/deploy_status request body details

MIME
Parameter Data Type Type Description Sample
deploy_status Object application/ null { "hosts": [ {
json "host_status": "String
<one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT,
ERROR>", "ip":
"String", "status":
"String <one of:
SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT,
ERROR>" } ],
"initiated_by": "String",
"initiated_from":
"String",
"percent_complete":
42, "status": "String
<one of:
INITIALIZING,
IN_PROGRESS,
COMPLETE>", "type":
"String <one of:
INCREMENTAL,
FULL>" }

540 QRadar API Reference Guide

 Table 1042. POST /staged_config/deploy_status response codes
HTTP Response
Code Unique Code Description
200 The deploy was scheduled.
409 1002 Theere already exists a deploy in action, or there are
no changes to deploy.
409 1003 null
409 1004 null
422 1005 null
500 1020 An error occurred during the attempt to run the
deploy

Response Description

The deploy status object. A deploy status object contains the following fields:
v initiated_by - String - The name of the user who initiated the deploy.
v initiated_from - String - The hostname from where the deploy was initiated.
v type - String - The type of deploy: FULL or INCREMENTAL.
v status - String - The status of the deploy: UNKNOWN, START, DONE.
v hosts - Map of < String, List of String > - A map of status states and a list of
hosts.
v error_message - String - The deployment error message.
v has_errors - Boolean - True if the deploy has encountered an error.
v percent_complete - Integer - The percentage of completion of the deploy. ( 0 -
100 )

Response Sample
{
"hosts": [
{
"host_status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>",
"ip": "String",
"status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>"
}
],
"initiated_by": "String",
"initiated_from": "String",
"percent_complete": 42,
"status": "String <one of: INITIALIZING,
IN_PROGRESS,
COMPLETE>",
"type": "String <one of: INCREMENTAL, FULL>"
}

GET /staged_config/deployment/hosts
Retrieves a list of all staged hosts.

Retrieves the list of all staged hosts.

Chapter 6. REST API V8.0 References 541

 Table 1043. GET /staged_config/deployment/hosts resource details
MIME Type
application/json

Table 1044. GET /staged_config/deployment/hosts request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1045. GET /staged_config/deployment/hosts response codes

HTTP Response
Code Unique Code Description
200 The host list was successfully retrieved.
500 1005 An error occurred during the attempt to retrieve the
host list.

Response Description
A list of all the hosts. Each Host object has the following fields:
v id - The ID of this managed host.
v hostname - The host name of this managed host.
v private_ip - The private IP of this managed host.
v public_ip - The public IP of this managed host.
v appliance - An object that represents the appliance type ID and description of
this managed host.
v version - The installed version on this managed host.
v status - The status of this managed host.

542 QRadar API Reference Guide

v eps_rate_hardware_limit - The upper limit for eps_allocation based on
hardware constraints for this managed host.
v eps_allocation - The allocated eps rate of this managed host.
v average_eps - The average eps rate of this managed host over the previous
month.
v peak_eps - The peak eps rate that was experienced by this managed host over
the previous month.
v fpm_rate_hardware_limit - The upper limit for fpm_allocation based on
hardware constraints for this managed host.
v fpm_allocation - The allocated fpm rate of this managed host.
v average_fpm - The average fpm rate of this managed host over the previous
month.
v peak_fpm - The peak fpm rate that was experienced by this managed host over
the previous month.
v primary_server_id - The ID for the primary server host for this managed host.
v secondary_server_id - If configured, the ID for the secondary server host for
this managed host.
v license_serial_number - The serial number that is associated with this managed
host's license.
v components - A list of components that are associated with this managed host.
v compression_enabled - Whether or not compression is enabled for this
managed host.
v encryption_enabled - Whether or not encryption is enabled for this managed
host.

Response Sample
[
{
"appliance": {
"id": "String",
"type": "String"
},
"average_eps": 42,
"average_fpm": 42,
"components": [
"String <one of: eventcollector,
eventprocessor,
dataNode,
magistrate,
ariel_query_server,
ariel_proxy_server,
vis,
assetprofiler,
qflow,
hostcontext,
tunnel,
setuptunnel,
ecs-ec,
ecs-ep,
resolveragent,
resolver_manager,
offsiteSource,
offsiteTarget,
accumulator,
offline_forwarder,
qvm,
qvmprocessor,
qvmscanner,

Chapter 6. REST API V8.0 References 543

 qvmhostedscanner,
qvmsiteprotector,
arc_builder,
tomcat-rm,
ziptie-server,
qrm,
asset_change_publisher,
forensicsnode,
forensics_realtime,
masterdaemon>"
],
"compression_enabled": true,
"encryption_enabled": true,
"eps_allocation": 42,
"eps_rate_hardware_limit": 42,
"fpm_allocation": 42,
"fpm_rate_hardware_limit": 42,
"hostname": "String",
"id": 42,
"license_serial_number": "String",
"peak_eps": 42,
"peak_fpm": 42,
"primary_server_id": 42,
"private_ip": "String",
"public_ip": "String",
"secondary_server_id": 42,
"status": "String <one of: Active,
ADDING,
Deleted,
Deleting,
ADD_FAILED,
New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS>",
"version": "String"
}
]

GET /staged_config/deployment/hosts/{id}
Retrieves a staged host by ID.

Retrieves a staged host by ID.

Table 1046. GET /staged_config/deployment/hosts/{id} resource details
MIME Type
application/json

Table 1047. GET /staged_config/deployment/hosts/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain Required - The ID of
(Integer) the staged host to be
retrieved.

544 QRadar API Reference Guide

Table 1047. GET /staged_config/deployment/hosts/{id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1048. GET /staged_config/deployment/hosts/{id} response codes

HTTP Response
Code Unique Code Description
200 The host was successfully retrieved.
404 1006 No such staged host for the given ID
422 1007 The provided ID was a negative number or zero.
500 1008 An error occurred during the retrieval of the host.

Response Description

The associated staged host object. The Host object has the following fields:
v id - The ID of this managed host.
v hostname - The host name of this managed host.
v private_ip - The private IP of this managed host.
v public_ip - The public IP of this managed host.
v appliance - An object that represents the appliance type ID and description of
this managed host.
v version - The installed version on this managed host.
v status - The status of this managed host.
v eps_rate_hardware_limit - The upper limit for eps_allocation based on hardware
constraints for this managed host.
v eps_allocation - The allocated eps rate of this managed host.
v average_eps - The average eps rate of this managed host over the previous
month.
v peak_eps - The peak eps rate that was experienced by this managed host over
the previous month.
v fpm_rate_hardware_limit - The upper limit for fpm_allocation based on
hardware constraints for this managed host.
v fpm_allocation - The allocated fpm rate of this managed host.
v average_fpm - The average fpm rate of this managed host over the previous
month.
v peak_fpm - The peak fpm rate that was experienced by this managed host over
the previous month.

Chapter 6. REST API V8.0 References 545

 v primary_server_id - The ID for the primary server host for this managed host.
v secondary_server_id - If configured, the ID for the secondary server host for this
managed host.
v license_serial_number - The serial number that is associated with this managed
host's license.
v components - A list of components that are associated with this managed host.
v compression_enabled - Whether or not compression is enabled for this managed
host.
v encryption_enabled - Whether or not encryption is enabled for this managed
host.

Response Sample
{
"appliance": {
"id": "String",
"type": "String"
},
"average_eps": 42,
"average_fpm": 42,
"components": [
"String <one of: eventcollector,
eventprocessor,
dataNode,
magistrate,
ariel_query_server,
ariel_proxy_server,
vis,
assetprofiler,
qflow,
hostcontext,
tunnel,
setuptunnel,
ecs-ec,
ecs-ep,
resolveragent,
resolver_manager,
offsiteSource,
offsiteTarget,
accumulator,
offline_forwarder,
qvm,
qvmprocessor,
qvmscanner,
qvmhostedscanner,
qvmsiteprotector,
arc_builder,
tomcat-rm,
ziptie-server,
qrm,
asset_change_publisher,
forensicsnode,
forensics_realtime,
masterdaemon>"
],
"compression_enabled": true,
"encryption_enabled": true,
"eps_allocation": 42,
"eps_rate_hardware_limit": 42,
"fpm_allocation": 42,
"fpm_rate_hardware_limit": 42,
"hostname": "String",
"id": 42,
"license_serial_number": "String",

546 QRadar API Reference Guide

 "peak_eps": 42,
"peak_fpm": 42,
"primary_server_id": 42,
"private_ip": "String",
"public_ip": "String",
"secondary_server_id": 42,
"status": "String <one of: Active,
ADDING,
Deleted,
Deleting,
ADD_FAILED,
New,
ADD_FAILED_VERSION_CHECK,
ADD_FAILED_DEPLOY_IN_PROGRESS,
ADD_FAILED_RETRY_CONNECTION,
ADD_FAILED_HA,
ADD_FAILED_CHECK_LOGS>",
"version": "String"
}

GET /staged_config/global_system_notifications
Retrieves a list of all staged global system notifications.

Retrieves the list of staged global system notifications.

Table 1049. GET /staged_config/global_system_notifications resource details
MIME Type
application/json

Table 1050. GET /staged_config/global_system_notifications request parameter details. .

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 547

 Table 1051. GET /staged_config/global_system_notifications response codes
HTTP Response
Code Unique Code Description
200 The staged global system notifications list was
successfully retrieved.
500 1020 An internal server error occurred during retrieval of
the list of staged global system notifications.

Response Description

A list of all staged global system notifications. A notification contains the following
fields:
v id - Long - The ID of the notification.
v name - String - The name of the notification.
v operator - String - The notification criteria operator.
v value - String - The notification criteria value.
v message - Double - The notification message.
v default - Boolean - Whether the notification message is modified by the user or
not.
v enabled - Boolean - Whether the notification is enabled or not.

Response Sample
[
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}
]

GET /staged_config/global_system_notifications/
{notification_id}
Retrieves a staged global system notification by ID.

Retrieves a staged global system notification by ID.

Table 1052. GET /staged_config/global_system_notifications/{notification_id} resource details
MIME Type
application/json

Table 1053. GET /staged_config/global_system_notifications/{notification_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
notification_id path Required Number text/plain ID that is used for
(Integer) retrieving a staged global
system notification.

548 QRadar API Reference Guide

 Table 1053. GET /staged_config/global_system_notifications/{notification_id} request
parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 1054. GET /staged_config/global_system_notifications/{notification_id} response codes

HTTP Response
Code Unique Code Description
200 The staged global system notification was
successfully retrieved.
404 1002 No staged global system notification was found for
the provided notification ID.
500 1020 An error occurred during the retrieval of the
notification.

Response Description

The associated staged global system notification object. A notification contains the
following fields:
v id - Long - The ID of the notification.
v name - String - The name of the notification.
v operator - String - The notification criteria operator.
v value - String - The notification criteria value.
v message - Double - The notification message.
v default - Boolean - Whether the notification message is modified by the user or
not.
v enabled - Boolean - Whether the notification is enabled or not.

Response Sample
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}

POST /staged_config/global_system_notifications/
{notification_id}
Updates an existing staged global system notification.

Updates an existing staged global system notification.

Chapter 6. REST API V8.0 References 549

 Table 1055. POST /staged_config/global_system_notifications/{notification_id} resource
details
MIME Type
application/json

Table 1056. POST /staged_config/global_system_notifications/{notification_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
notification_id path Required Number text/plain ID that is used for
(Integer) updating a staged global
system notification.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 1057. POST /staged_config/global_system_notifications/{notification_id} request body

details
MIME
Parameter Data Type Type Description Sample
notification Object application/ The updated global { "id": 1, "name":
json system notification "Systemloadover1minute",
object. "operator": "GT", "value": 3.6,
"message": "If your system
continues to exhibit this behavior,
please contact Customer Support.",
"enabled": true, "isDefault": true }

Table 1058. POST /staged_config/global_system_notifications/{notification_id} response

codes
HTTP Response
Code Unique Code Description
200 The staged global system notification was
successfully updated.
404 1002 No staged global system notification was found for
the provided notification ID.
422 1005 A request parameter is invalid.
500 1020 An error occurred during the retrieval of the
notification.

Response Description

The associated updated staged global system notification object. A notification

contains the following fields:
v id - Long - The ID of the notification.
v name - String - The name of the notification.
v operator - String - The notification criteria operator.

550 QRadar API Reference Guide

 v value - String - The notification criteria value.
v message - Double - The notification message.
v default - Boolean - Whether the notification message is modified by the user or
not.
v enabled - Boolean - Whether the notification is enabled or not.

Response Sample
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}

GET /staged_config/remote_networks
Retrieves a list of staged remote networks.

Retrieves the list of staged remote networks.

Table 1059. GET /staged_config/remote_networks resource details
MIME Type
application/json

Table 1060. GET /staged_config/remote_networks request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets.
Multiple fields in the
same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Chapter 6. REST API V8.0 References 551

 Table 1061. GET /staged_config/remote_networks response codes
HTTP Response
Code Unique Code Description
200 The staged remote networks list was successfully
retrieved.
500 1020 An internal server error occurred during the
retrieval of the list of staged remote networks.

Response Description

A list of staged remote networks.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the
remote network.

Response Sample
[
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}
]

POST /staged_config/remote_networks
Adds a new staged remote network.

Creates a new staged remote network.

Table 1062. POST /staged_config/remote_networks resource details
MIME Type
application/json

552 QRadar API Reference Guide

Table 1063. POST /staged_config/remote_networks request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets.
Multiple fields in the
same object are
separated by commas.

Table 1064. POST /staged_config/remote_networks request body details

MIME
Parameter Data Type Type Description Sample
network Object application/ The new remote { "cidrs": [ "String" ],
json network object. "description": "String",
"group": "String", "id":
42, "name": "String" }

Table 1065. POST /staged_config/remote_networks response codes

HTTP Response
Code Unique Code Description
201 The new staged remote network was successfully
created.
409 1008 The remote network name already exists in the
selected group.
422 1005 A request parameter is invalid.
500 1020 An error occurred during the creation of the remote
network.

Response Description

The associated new created staged remote network object.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the
remote network.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",

Chapter 6. REST API V8.0 References 553

 "group": "String",
"id": 42,
"name": "String"
}

GET /staged_config/remote_networks/{network_id}
Retrieves a staged remote network by ID.

Retrieves a staged remote network by ID.

Table 1066. GET /staged_config/remote_networks/{network_id} resource details
MIME Type
application/json

Table 1067. GET /staged_config/remote_networks/{network_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
network_id path Required Number text/plain ID that is used to
(Integer) retrieve a staged remote
network.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets.
Multiple fields in the
same object are
separated by commas.

Table 1068. GET /staged_config/remote_networks/{network_id} response codes

HTTP Response
Code Unique Code Description
200 The staged remote network was successfully
retrieved.
404 1002 No staged remote network was found with the
provided ID.
500 1020 An error occurred during the retrieval of the remote
network.

Response Description

The associated staged remote network object.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the
remote network.

554 QRadar API Reference Guide

 Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

POST /staged_config/remote_networks/{network_id}
Updates an existing staged remote network.

Updates an existing staged remote network.

Table 1069. POST /staged_config/remote_networks/{network_id} resource details
MIME Type
application/json

Table 1070. POST /staged_config/remote_networks/{network_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
network_id path Required Number text/plain ID that is used to
(Integer) update a staged remote
network.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets.
Multiple fields in the
same object are
separated by commas.

Table 1071. POST /staged_config/remote_networks/{network_id} request body details

MIME
Parameter Data Type Type Description Sample
network Object application/ The updated remote { "cidrs": [ "String" ],
json network object. "description": "String",
"group": "String", "id":
42, "name": "String" }

Table 1072. POST /staged_config/remote_networks/{network_id} response codes

HTTP Response
Code Unique Code Description
200 The staged remote network was successfully
updated.
404 1002 No staged remote network was found for the
provided network ID.

Chapter 6. REST API V8.0 References 555

 Table 1072. POST /staged_config/remote_networks/{network_id} response
codes (continued)
HTTP Response
Code Unique Code Description
409 1008 The remote network name already exists in the
selected group.
422 1005 A request parameter is invalid.
500 1020 An error occurred during the update of the remote
network.

Response Description

The associated updated staged remote network object.

v id - Long - The ID of the remote network.
v name - String - The name of the remote network.
v description - String - The description of the remote network.
v group - String - The group to which the remote network belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the
remote network.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

DELETE /staged_config/remote_networks/{network_id}
Deletes an existing staged remote network.

Deletes an existing staged remote network.

Table 1073. DELETE /staged_config/remote_networks/{network_id} resource details
MIME Type
text/plain

Table 1074. DELETE /staged_config/remote_networks/{network_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
network_id path Required Number text/plain ID that is used to locate
(Integer) the staged remote
network.

556 QRadar API Reference Guide

 Table 1075. DELETE /staged_config/remote_networks/{network_id} response codes
HTTP Response
Code Unique Code Description
204 The staged remote network was successfully deleted.
404 1002 No staged remote network was found for the
provided network ID.
500 1020 An error occurred during the deletion of the remote
network.

Response Description

Response Sample

GET /staged_config/remote_services
Retrieves a list of staged remote services.

Retrieves the list of staged remote services

Table 1076. GET /staged_config/remote_services resource details
MIME Type
application/json

Table 1077. GET /staged_config/remote_services request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets.
Multiple fields in the
same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Chapter 6. REST API V8.0 References 557

 Table 1078. GET /staged_config/remote_services response codes
HTTP Response
Code Unique Code Description
200 The staged remote services list was successfully
retrieved.
500 1020 An internal server error occurred during the
retrieval of the list of staged remote services.

Response Description

A list of staged remote services.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the
remote service.

Response Sample
[
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}
]

POST /staged_config/remote_services
Adds a staged remote service.

Creates a staged remote service.

Table 1079. POST /staged_config/remote_services resource details
MIME Type
application/json

558 QRadar API Reference Guide

Table 1080. POST /staged_config/remote_services request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets.
Multiple fields in the
same object are
separated by commas.

Table 1081. POST /staged_config/remote_services request body details

MIME
Parameter Data Type Type Description Sample
service Object application/ The new remote service { "cidrs": [ "String" ],
json object. "description": "String",
"group": "String", "id":
42, "name": "String" }

Table 1082. POST /staged_config/remote_services response codes

HTTP Response
Code Unique Code Description
201 The new staged remote service was successfully
created.
409 1008 The remote service name already exists in the
selected group.
422 1005 A request parameter is invalid.
500 1020 An error occurred during the creation of the remote
service.

Response Description

The associated new created staged remote service object.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the
remote service.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",

Chapter 6. REST API V8.0 References 559

 "group": "String",
"id": 42,
"name": "String"
}

GET /staged_config/remote_services/{service_id}
Retrieves a staged remote service by ID.

Retrieves a staged remote service by ID.

Table 1083. GET /staged_config/remote_services/{service_id} resource details
MIME Type
application/json

Table 1084. GET /staged_config/remote_services/{service_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
service_id path Required Number text/plain ID that is used for the
(Integer) retrieval of a staged
remote service.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets.
Multiple fields in the
same object are
separated by commas.

Table 1085. GET /staged_config/remote_services/{service_id} response codes

HTTP Response
Code Unique Code Description
200 The staged remote service was successfully retrieved.
404 1002 No staged remote service was found with the
provided ID.
500 1020 An error occurred during the retrieval of the remote
service.

Response Description

The associated staged remote service object.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the
remote service.

560 QRadar API Reference Guide

 Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

POST /staged_config/remote_services/{service_id}
Updates an existing staged remote service.

Updates an existing staged remote service.

Table 1086. POST /staged_config/remote_services/{service_id} resource details
MIME Type
application/json

Table 1087. POST /staged_config/remote_services/{service_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
service_id path Required Number text/plain ID that is used for
(Integer) updating a staged
remote service.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets.
Multiple fields in the
same object are
separated by commas.

Table 1088. POST /staged_config/remote_services/{service_id} request body details

MIME
Parameter Data Type Type Description Sample
service Object application/ null { "cidrs": [ "String" ],
json "description": "String",
"group": "String", "id":
42, "name": "String" }

Table 1089. POST /staged_config/remote_services/{service_id} response codes

HTTP Response
Code Unique Code Description
200 The staged remote service was successfully updated.
404 1002 No staged remote service was found for the
provided service ID.

Chapter 6. REST API V8.0 References 561

 Table 1089. POST /staged_config/remote_services/{service_id} response codes (continued)
HTTP Response
Code Unique Code Description
409 1008 The remote service name already exists in the
selected group.
422 1005 A request parameter is invalid.
500 1020 An error occurred during the update of the remote
service.

Response Description

The associated updated staged remote service object.

v id - Long - The ID of the remote service.
v name - String - The name of the remote service.
v description - String - The description of the remote service.
v group - String - The group to which the remote service belongs.
v cidrs - Array of <String> - A list of all the CIDR ranges that belong to the
remote service.

Response Sample
{
"cidrs": [
"String"
],
"description": "String",
"group": "String",
"id": 42,
"name": "String"
}

DELETE /staged_config/remote_services/{service_id}
Deletes an existing staged remote service.

Deletes an existing staged remote service.

Table 1090. DELETE /staged_config/remote_services/{service_id} resource details
MIME Type
text/plain

Table 1091. DELETE /staged_config/remote_services/{service_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
service_id path Required Number text/plain ID that is used for
(Integer) locating the staged
remote service.

Table 1092. DELETE /staged_config/remote_services/{service_id} response codes

HTTP Response
Code Unique Code Description
204 The staged remote service was successfully deleted.

562 QRadar API Reference Guide

 Table 1092. DELETE /staged_config/remote_services/{service_id} response
codes (continued)
HTTP Response
Code Unique Code Description
404 1002 No staged remote service was found for the
provided service ID.
500 1020 An error occurred during the deletion of the remote
service.

Response Description

Response Sample

DELETE /staged_config/yara_rules
Deletes all Yara rules from the QRadar system.

Deletes all Yara rules from the QRadar system.

Table 1093. DELETE /staged_config/yara_rules resource details
MIME Type
text/plain

There are no parameters for this endpoint.

Table 1094. DELETE /staged_config/yara_rules response codes
HTTP Response
Code Unique Code Description
204 Yara rules were successfully deleted from the
system.
500 1020 An error occurred during the attempt to delete the
Yara rules.

Response Description

In case of an error, the method returns an exception.

Response Sample

PUT /staged_config/yara_rules
Uploads the supplied Yara rule file to the QRadar system. If the provided Yara file
is empty - all rules are deleted from the system.

Uploads the supplied Yara rule file to the QRadar system.

Table 1095. PUT /staged_config/yara_rules resource details
MIME Type
text/plain

Chapter 6. REST API V8.0 References 563

 Table 1096. PUT /staged_config/yara_rules request body details
MIME
Parameter Data Type Type Description Sample
file File application/ Required - The Yara File
zip rule file. Must be
properly-formed Yara
rule content, either a
TEXT file, or a TEXT
file within a ZIP or
TAR.GZ archive. Must
be provided with MIME
type text/plain,
application/zip,
application/x-gzip or
multipart/form-data

Table 1097. PUT /staged_config/yara_rules response codes

HTTP Response
Code Unique Code Description
200 The supplied Yara rule file was uploaded.
422 1101 Must be a correctly-formatted Yara rule file.
422 1103 The archive file must only contain a single Yara rule
file.
422 1107 Invalid archive file was provided.
500 1104 Failed to extract the contents of the archive file.
500 1105 Yara validator script was terminated owing to
timeout.
500 1106 Yara validator script encountered an unknown
exception.

Response Description

In case of an error, the method returns an exception.

Response Sample

System endpoints
Use the references for REST API V8.0 system endpoints.

GET /system/information/locales
Retrieves a list of locales from the system, with the option to include samples.

Retrieves a list of locales from the system, with the option to include samples.
Table 1098. GET /system/information/locales resource details
MIME Type
application/json

564 QRadar API Reference Guide

Table 1099. GET /system/information/locales request parameter details
Parameter Type Optionality Data Type MIME Type Description
sample_type query Optional String text/plain Optional - type of
samples for the locale.
Currently the only
supported option is
NUMBER.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements that
are returned in the list to
a specified range. The list
is indexed starting at
zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in a
list base on the contents
of various fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 1100. GET /system/information/locales response codes

HTTP Response
Code Unique Code Description
200 The requested list of locales was retrieved.
500 1020 An error occurred during the attempt to retrieve the
list of locales.

Response Description

A list of locales. A locale contains the following fields:

v id - String - The tag of the locale.
v label - String - The name of the locale.
v sample - String - The optional sample for the locale.

Response Sample
[
{
"id": "sq",
"label": "Albanian",
"sample": "1 234 567,89"
},
{
"id": "sq-AL",
"label": "Albanian (Albania)",
"sample": "1 234 567,89"
},
{

Chapter 6. REST API V8.0 References 565

 "id": "ar",
"label": "Arabic",
"sample": "}"
},
{
"id": "ar-DZ",
"label": "Arabic (Algeria)",
"sample": "1.234.567,89"
},
{
"id": "ar-BH",
"label": "Arabic (Bahrain)",
"sample": "}"
}
]

GET /system/servers
Retrieve a list of all server hosts in the deployment.
Table 1101. GET /system/servers resource details
MIME Type
application/json

Table 1102. GET /system/servers request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1103. GET /system/servers response codes

HTTP Response
Code Unique Code Description
200 The requested list of server records has been
successfully retrieved.

566 QRadar API Reference Guide

 Table 1103. GET /system/servers response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error has occurred while trying to retrieve the
requested servers.

Response Description
A list of the servers. A server record contains the following fields:
v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
[
{
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}
]

GET /system/servers/{server_id}
Retrieve a server host based on the supplied server ID.
Table 1104. GET /system/servers/{server_id} resource details
MIME Type
application/json

Table 1105. GET /system/servers/{server_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 6. REST API V8.0 References 567

 Table 1106. GET /system/servers/{server_id} response codes
HTTP Response
Code Unique Code Description
200 The requested server record has been retrieved.
404 1002 The requested server record with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the
requested server host with the given Id.

Response Description

A server record containing the following fields:

v email_server_address - String - email server address
v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
{
"email_server_address": "String",
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}

POST /system/servers/{server_id}
Updates an existing server.
Table 1107. POST /system/servers/{server_id} resource details
MIME Type
application/json

Table 1108. POST /system/servers/{server_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.

568 QRadar API Reference Guide

 Table 1109. POST /system/servers/{server_id} request body details
Parameter Data Type MIME Type Description Sample
details Object application/json Required - A server {
details record "email_server_address":
containing the "String" }
following field:

email_server_address -
String - email server
address. Must be a
valid server address
that the server can
connect to through port
25.

Table 1110. POST /system/servers/{server_id} response codes

HTTP Response
Code Unique Code Description
200 The server record has been updated.
404 1002 The requested server record with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
422 1006 Cannot connect to the mail server address on port
25.
500 1020 An error has occurred while trying to retrieve the
requested server host with the given Id.

Response Description

The updated server record containing the following fields:

v email_server_address - String - email server address.
v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
{
"email_server_address": "String",
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}

GET /system/servers/{server_id}/firewall_rules
Retrieve a list of access control firewall rules based on the supplied server ID.
Table 1111. GET /system/servers/{server_id}/firewall_rules resource details
MIME Type
application/json

Chapter 6. REST API V8.0 References 569

 Table 1112. GET /system/servers/{server_id}/firewall_rules request parameter details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1113. GET /system/servers/{server_id}/firewall_rules response codes

HTTP Response
Code Unique Code Description
200 The rules records have been retrieved.
404 1002 The requested server with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the
requested access control firewall rules on the server
with the given Id.

Response Description
A list of the rules. Each rule record contains the following fields:
v is_any_source_ip - Boolean - Whether any source IP is accepted
v port_range - String - A port range in the format of start-end
v port_type - String - one of: ANY, SINGLE, RANGE
v protocol - String - one of: ANY, TCP, UDP
v single_port - String - A single port
v source_ip - String - A specific IP address

570 QRadar API Reference Guide

 Response Sample
[
{
"is_any_source_ip": true,
"port_range": "String",
"port_type": "String <one of: ANY, SINGLE, RANGE>",
"protocol": "String <one of: ANY, TCP, UDP>",
"single_port": "String",
"source_ip": "String"
}
]

PUT /system/servers/{server_id}/firewall_rules
Set the access control firewall rules based on the supplied server ID.
Table 1114. PUT /system/servers/{server_id}/firewall_rules resource details
MIME Type
application/json

Table 1115. PUT /system/servers/{server_id}/firewall_rules request parameter details

MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.

Table 1116. PUT /system/servers/{server_id}/firewall_rules request body details

Parameter Data Type MIME Type Description Sample
rules Array<Object> application/json Required - A list of new [ { "is_any_source_ip":
rules in a JSON string. true, "port_range":
Each rule record "String", "port_type":
contains the following "String <one of: ANY,
field: SINGLE, RANGE>",
v is_any_source_ip - "protocol": "String <one
Boolean - Whether of: ANY, TCP, UDP>",
"single_port": "String",
any source IP is
"source_ip": "String" } ]
accepted
v port_range - String -
A port range in the
format of start-end
v port_type - String -
one of: ANY,
SINGLE, RANGE
v protocol - String -
one of: ANY, TCP,
UDP
v single_port - String -
A single port
v source_ip - String - A
specific IP address.

Table 1117. PUT /system/servers/{server_id}/firewall_rules response codes

HTTP Response
Code Unique Code Description
200 The rules have been updated.
404 1002 The requested server with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.

Chapter 6. REST API V8.0 References 571

 Table 1117. PUT /system/servers/{server_id}/firewall_rules response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error has occurred while trying to set the access
control firewall rules on the server with the given Id.

Response Description
A list of the rules in a JSON string. Each rule contains the following fields:
v is_any_source_ip - Boolean - Whether any source IP is accepted
v port_range - String - A port range in the format of start-end
v port_type - String - one of: ANY, SINGLE, RANGE
v protocol - String - one of: ANY, TCP, UDP
v single_port - String - A single port
v source_ip - String - A specific IP address

Response Sample
[
{
"is_any_source_ip": true,
"port_range": "String",
"port_type": "String <one of: ANY, SINGLE, RANGE>",
"protocol": "String <one of: ANY, TCP, UDP>",
"single_port": "String",
"source_ip": "String"
}
]

GET /system/servers/{server_id}/network_interfaces/bonded
Retrieves a list of the bonded network interfaces based on the supplied server ID.
Table 1118. GET /system/servers/{server_id}/network_interfaces/bonded resource details
MIME Type
application/json

Table 1119. GET /system/servers/{server_id}/network_interfaces/bonded request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

572 QRadar API Reference Guide

Table 1119. GET /system/servers/{server_id}/network_interfaces/bonded request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 1120. GET /system/servers/{server_id}/network_interfaces/bonded response codes

HTTP Response
Code Unique Code Description
200 A list of the bonded network interfaces were
retrieved.
404 1002 The requested server with the given server ID
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to retrieve the
bonded interfaces on the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

A list of the bonded network interfaces. Each record contains the following fields:
v device_name - String - The name of the network interface.
v desc - String - The description of the network interface.
v role - String - The role of the network interface. One of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address configured on the network
interface. One of: ipv4, ipv6.
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured?
v is_cable_linked - String - Is the network interface cable linked? One of: YES,
NO, UNKNOWN
v is_moving_config_with_active_ha - Boolean - Will apply the same settings to a
new active HA server during failover.
v hacrossover_params - String - A map of key-value pairs of HA crossover
parameters if the network interface is used for HA crossover.
v bonding_opts - String - The bonding options that are configured on the bonded
network interface.

Chapter 6. REST API V8.0 References 573

 v slaves - List - The slaves of the bonded network interface. Each slave record
contains the follow fields:
device_name - String - The name of the slave interface.
desc - String - The description of the slave interface.
role - String - The role of the slave interface. One of: slave, slave_disabled
is_cable_linked - String - Is the slave interface cable linked. One of: true,
false, unknown

Response Sample
[
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",
"device_name": "String",
"is_cable_linked": "String <one of: true,
false,
unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}
]

POST /system/servers/{server_id}/network_interfaces/bonded
Creates a new bonded network interface.
Table 1121. POST /system/servers/{server_id}/network_interfaces/bonded resource details
MIME Type
application/json

574 QRadar API Reference Guide

Table 1122. POST /system/servers/{server_id}/network_interfaces/bonded request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The ID of
(Integer) the server.

Table 1123. POST /system/servers/{server_id}/network_interfaces/bonded request body

details
Parameter Data Type MIME Type Description Sample
details Object application/ Required - The details of the bonded { "bonding_opts": "String", "ip": "String", "ipversion": "String
json network interface that contains the following <one of: ipv4, ipv6>", "is_auto_ip": true,
fields: "is_moving_config_with_active_ha": true, "mask": "String",
"role": "String <one of: regular, management, hacrossover,
v role - String - The role of the network
hacrossover_disabled, monitor, disabled, slave,
interface. One of: regular, monitor, slave_disabled>", "slaves": [ { "device_name": "String" } ] }
disabled.

v ipversion - String - The verson of the IP

address that is configured on the network
interface. One of: ipv4, ipv6.

v ip - String - The IP address that is

configured on the network interface. This
parameter is required when ipversion is
ipv4 or (ipversion is ipv6 and is_auto_ip
is false). The subnet that is computed
from the IP address and the mask must
not be the same subnet that is configured
on the management interface.

v mask - String - The netmask that is

configured on the network interface. This
parameter is equired when ipversion is
ipv4. The subnet that is computed from
the ip and the mask must not be the same
subnet that is configured on the
management interface.

v is_auto_ip - Boolean - Is the address

auto-configured? Required.

v is_moving_config_with_active_ha -
Boolean - Applies the same settings to a
new active HA server during failover.
This parameter can be true only when the
server host is an active HA server host.

v bonding_opts - String - The bonding

options that are configured on the bonded
network interface.

Table 1124. POST /system/servers/{server_id}/network_interfaces/bonded response codes

HTTP Response
Code Unique Code Description
201 The bonded network interface was created.
404 1002 The requested server with the given server_id
cannot be found.
409 1004 The ip address has been used by another network
interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to create the bonded
interface on the server with the given ID.
500 1022 Timeout while performing the task.

Response Description
The created bonded network interface that contains the following fields:
v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled.

Chapter 6. REST API V8.0 References 575

 v ipversion - String - The verson of the IP address that is configured on the
network interface. One of: ipv4, ipv6.
v ip - String - The Ip address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the Ip address auto-configured?
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a
new active HA server during failover.
v bonding_opts - String - The bonding options that are configured on the bonded
network interface.
v slaves - Array - The slave ethernet interfaces of the bonded interface. Each slave
interface has one field: device_name. The device_name must be an existing
ethernet interface that cannot be the management interface, the HA crossover
interface or a slave interface of another bonded network interface. The array
must contain at least one ethernet interface.

Response Sample
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4, ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true, false, unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",
"device_name": "String",
"is_cable_linked": "String <one of: true, false, unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}

576 QRadar API Reference Guide

POST /system/servers/{server_id}/network_interfaces/bonded/
{device_name}
Updates an existing bonded network interface.
Table 1125. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}
resource details
MIME Type
application/json

Table 1126. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}

request parameter details
Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the server.
(Integer)
device_name path Required String text/plain Required - The name of an existing bonded
network interface. The interface cannot be
the management interface or HA crossover
interface. The interface must be cable linked.

Table 1127. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}

request body details
Parameter Data Type MIME Type Description Sample
details Object application/json Required - The details of the bonded network { "bonding_opts": "String", "ip": "String",
interface that contains the following fields: "ipversion": "String <one of: ipv4, ipv6>",
"is_auto_ip": true,
v role - String - The role of the network interface.
"is_moving_config_with_active_ha": true, "mask":
One of: regular, monitor, disabled "String", "role": "String <one of: regular,
v ipversion - String - The verson of the IP address management, hacrossover, hacrossover_disabled,
monitor, disabled, slave, slave_disabled>", "slaves":
that is configured on the network interface. one
[ { "device_name": "String" } ] }
of: ipv4, ipv6.

v ip - String - The IP address that is configured on

the network interface. This parameter is required
when ipversion is ipv4 or (ipversion is ipv6 and
is_auto_ip is false). The subnet that is computed
from the IP address and the mask must not be
the same subnet that is configured on the
management interface.

v mask - String - The netmask that is configured

on the network interface. This parameter is
equired when ipversion is ipv4. The subnet that
is computed from the IP address and the mask
must not be the same subnet that is configured
on the management interface.

v is_auto_ip - Boolean - Is the IP address

auto-configured? Required.

v is_moving_config_with_active_ha - Boolean -
Applies the same settings to a new active HA
server during failover. This parameter can be
true only when the server host is an active HA
server host

v slaves - Array - The slave ethernet interfaces of

the bonded interface. Each slave interface has
one field: device_name. The device_name must
be an existing ethernet interface wthat cannot be
the management interface, the HA crossover
interface, or a slave interface of another bonded
network interface. If slaves are not null, the
slaves in this array will override the existing
slaves of the bonded interface. When not null,
the array must contain at least one ethernet
interface. If null, the endpoint does not change
the existing slave interfaces.

v bonding_opts - String - The bonding options

that are configured on the bonded network
interface

Table 1128. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}

response codes
HTTP Response
Code Unique Code Description
200 The bonded network interface was updated.

Chapter 6. REST API V8.0 References 577

 Table 1128. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}
response codes (continued)
HTTP Response
Code Unique Code Description
404 1002 The requested server with the given server ID
cannot be found.
409 1004 The ip address has been used by another network
interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to update the
specified bonded interfaces on the server with the
given ID.
500 1022 Timeout while performing the task.

Response Description

The updated bonded network interface that contains the following fields:
v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the
network interface. one of: ipv4, ipv6
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured?
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a
new active HA server during failover.
v bonding_opts - String - The bonding options that are configured on the bonded
network interface.
v slaves - Array - The slave ethernet interfaces of the bonded interface. Each slave
interface has two fields: device_name and role. The role is slave or
slave_disabled.

Response Sample
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4, ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true, false, unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,

578 QRadar API Reference Guide

 slave_disabled>",
"slaves": [
{
"desc": "String",
"device_name": "String",
"is_cable_linked": "String <one of: true, false, unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}

DELETE /system/servers/{server_id}/network_interfaces/
bonded/{device_name}
Removes a bonded network interface.
Table 1129. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name}
resource details
MIME Type
text/plain

Table 1130. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name}

request parameter details
Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The ID of the
(Integer) server.
device_name path Required String text/plain Required - The device
name of the bonded
network interface.

Table 1131. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name}

response codes
HTTP Response
Code Unique Code Description
200 The bonded network interface was removed.
404 1002 The requested server with the given server ID or the
bonded network interface cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to remove the
bonded interface on the server with the given ID.
500 1022 Timeout while performing the task.

Chapter 6. REST API V8.0 References 579

 Response Description

Response Sample

GET /system/servers/{server_id}/network_interfaces/ethernet
Retrieves a list of the ethernet network interfaces based on the supplied server ID.
Table 1132. GET /system/servers/{server_id}/network_interfaces/ethernet resource details
MIME Type
application/json

Table 1133. GET /system/servers/{server_id}/network_interfaces/ethernet request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 1134. GET /system/servers/{server_id}/network_interfaces/ethernet response codes

HTTP Response
Code Unique Code Description
200 A list of the ethernet network interfaces were
retrieved.
404 1002 The requested server with the given server ID
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to retrieve the
ethernet interfaces on the server with the given ID.

580 QRadar API Reference Guide

Table 1134. GET /system/servers/{server_id}/network_interfaces/ethernet response
codes (continued)
HTTP Response
Code Unique Code Description
500 1022 Timeout while performing the task.

Response Description

A list of the ethernet network interfaces. Each ethernet network interface contains
the following fields:
v device_name - String - The name of the network interface.
v desc - String - The description of the network interface.
v role - String - The role of the network interface. One of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the
network interface. One of: ipv4, ipv6.
v ip - String - The IP that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface
v is_auto_ip - Boolean - Is the IP auto-configured?
v is_cable_linked - String - Is the network interface cable linked? One of: true,
false, unknown.
v is_moving_config_with_active_ha - Boolean -Applies the same settings to a new
active HA server during failover.
v hacrossover_params - String - A map of key-value pairs of HA crossover
parameters if the network interface is used for HA crossover.

Response Sample
[
{
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]

Chapter 6. REST API V8.0 References 581

 POST /system/servers/{server_id}/network_interfaces/ethernet/
{device_name}
Updates an ethernet network interface based on the suppied server_Id and
device_name.
Table 1135. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}
resource details
MIME Type
application/json

Table 1136. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}

request parameter details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The ID of
(Integer) the server.
device_name path Required String text/plain Required - The name
of an existing
ethernet network
interface. The
interface cannot be
the management
interface, HA
crossover interface or
a slave of a bonded
interface. The
interface must be
cable linked.

582 QRadar API Reference Guide

Table 1137. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}
request body details
Parameter Data Type MIME Type Description Sample
details Object application/ Required - An ethernet network { "ip": "String", "ipversion": "String <one of:
json interface record containing the ipv4, ipv6>", "is_auto_ip": true,
following fields: "is_moving_config_with_active_ha": true,
"mask": "String", "role": "String <one of: regular,
v role - String - The role of the
management, hacrossover,
network interface. One of:
hacrossover_disabled, monitor, disabled, slave,
regular, monitor, disabled. slave_disabled>" }
v ipversion - String - The
verson of the IP address that
is configured on the network
interface. One of: ipv4, ipv6.
v ip - String - The IP address
that is configured on the
network interface. Required
when ipversion is ipv4 or
(ipversion is ipv6 and
is_auto_ip is false). The
subnet that is computed from
the IP address and the mask
must not be the same subnet
that is configured on the
management interface.
v mask - String - The netmask
that is configured on the
network interface. This
parameter is required when
ipversion is ipv4. The subnet
that is computed from the IP
address and the mask must
not be the same subnet that
is configured on the
management interface.
v is_auto_ip - Boolean - Is the
IP auto-configured. Required.
v is_moving_config
_with_active_ha - Boolean -
Applies the same settings to
a new active HA server
during failover. This
parameter can be true only
when the server host is an
active HA server host.

Table 1138. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}

response codes
HTTP Response
Code Unique Code Description
200 The network interface has been updated.
404 1002 The requested server with the given server ID
cannot be found.
409 1004 The ip address has been used by another network
interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to update the
specified ethernet interfaces on the server with the
given ID.
500 1022 Timeout while performing the task.

Response Description
The updated ethernet network interface containing the following fields:
v device_name - String - The name of the network interface.

Chapter 6. REST API V8.0 References 583

 v role - String - The role of the network interface. One of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the that is IP address that is configured on the
network interface. One of: ipv4, ipv6.
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured.
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a
new active HA server during failover.

Response Sample
{
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}

GET /system/servers/{server_id}/system_time_settings
Retrieves the system time and time zone settings of a server host based on the
supplied server ID.

Retrieves the system time and time zone settings of a server host based on the
supplied server ID.
Table 1139. GET /system/servers/{server_id}/system_time_settings resource details
MIME Type
application/json

Table 1140. GET /system/servers/{server_id}/system_time_settings request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The ID of
(Integer) the server.

584 QRadar API Reference Guide

 Table 1140. GET /system/servers/{server_id}/system_time_settings request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1141. GET /system/servers/{server_id}/system_time_settings response codes

HTTP Response
Code Unique Code Description
200 The requested system time settings record was
retrieved.
404 1002 The requested system time settings record with the
given server ID cannot be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to retrieve the
requested system time settings with the given server
ID.
500 1022 Timeout while performing the task.

Response Description
Server system time settings that contain the following fields:
v timezone_id - String - the current time zone
v current_time - Long - The current epoch time (number of milliseconds after
Epoch).
v is_sync_with_ntp_server - Boolean - Whether the NTP service is used to
synchronize the system time with configured NTP time servers.
v ntp_server_addresses - Array - The array of the configured NTP server
addresses. Null if is_sync_with_ntp_server is false.

Response Sample
{
"current_time": 42,
"ntp_server_addresses": [
"String"
],
"sync_with_ntp_server": true,
"timezone_id": "String"
}

POST /system/servers/{server_id}/system_time_settings
Sets the system time and time zone settings of a server host. Services are restarted
after the call and service interruptions will occur.

Chapter 6. REST API V8.0 References 585

 Sets the system time and time zone settings of a server host.
Table 1142. POST /system/servers/{server_id}/system_time_settings resource details
MIME Type
application/json

Table 1143. POST /system/servers/{server_id}/system_time_settings request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The ID of
(Integer) the server
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

586 QRadar API Reference Guide

Table 1144. POST /system/servers/{server_id}/system_time_settings request body details
MIME
Parameter Data Type Type Description Sample
settings Object application/ Server system time settings that { "current_time": 42,
json contain the following fields: "ntp_server_addresses":
v timezone_id - String - The [ "String" ],
current time zone. "sync_with_ntp_server":
true, "timezone_id":
v is_sync_with_ntp_server - "String" }
boolean - Is the NTP service used
to synchronize the system time
with configured NTP time
servers?
v current__time - Long - The
current epoch time (number of
milliseconds after Epoch). This
parameter must be provided
when is_sync_with_ntp_server is
false. This parameter must be
null if is_sync_with_ntp_server is
true.
v ntp_server_addresses - Array -
The array of the NTP server
addresses to synchronize the time
with. This parameter must be
provided when
is_sync_with_ntp_server is true.
Only the syntax and DNS
lookups are checked. The
reachability to the ntp servers
from the server host are not
verified because most ntp servers
are rate limited. Four or more
NTP servers are recommended
for time high accuracy. Must be
null if is_sync_with_ntp_server is
false.

Table 1145. POST /system/servers/{server_id}/system_time_settings response codes

HTTP Response
Code Unique Code Description
200 The system time settings have been applied.
404 1002 The requested server with the given server ID
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred during the attempt to apply the
system time settings to the server.
500 1022 Timeout during performance of the task.

Response Description
Server system time settings that contain the following fields:
v timezone_id - String - The current time zone.
v current_time - Long - The current epoch time (number of milliseconds after
Epoch).
v is_sync_with_ntp_server - Boolean - Whether the NTP service is used to
synchronize the system time with configured NTP time servers.

Chapter 6. REST API V8.0 References 587

 v ntp_server_addresses - Array - The array of the configured NTP server
addresses. Null if is_sync_with_ntp_server is false.

Response Sample
{
"current_time": 42,
"ntp_server_addresses": [
"String"
],
"sync_with_ntp_server": true,
"timezone_id": "String"
}

GET /system/servers/{server_id}/timezones
Retrieves all the available time zones that can be set for a server.

Retrieves all the available time zones that can be set for a server.
Table 1146. GET /system/servers/{server_id}/timezones resource details
MIME Type
application/json

Table 1147. GET /system/servers/{server_id}/timezones request parameter details

MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The ID of
(Integer) the server
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1148. GET /system/servers/{server_id}/timezones response codes

HTTP Response
Code Unique Code Description
200 The requested timezone records were retrieved.
404 1002 The requested timezone records with the given
server ID cannot be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to retrieve the
requested timezone records with the given server Id.
500 1022 Timeout during the performance of the task.

588 QRadar API Reference Guide

Response Description

A list of time zones that contains the following fields:

v id - String - the ID of time zone.
v timezone - String - The formatted string representation of the timezone in the
current locale.
v offset - Integer - Number of milliseconds offset to UTC time at the moment.

Response Sample
[
{
"id": "String",
"offset": 42,
"timezone": "String"
}
]

Chapter 6. REST API V8.0 References 589

590 QRadar API Reference Guide
Chapter 7. Previous REST API versions
Use this reference if you are using REST API version 2.0 or previous.

REST API V7.0 References

Each API reference provides information about the parameters, mime type,
stability, and responses for each endpoint.

Analytics endpoints
Use the references for REST API V7.0 analytics endpoints.

GET /analytics/ade_rules
Retrieves a list of ADE rules.

Retrieves a list of ADE rules.

Table 1149. GET /analytics/ade_rules resource details
MIME Type
application/json

Table 1150. GET /analytics/ade_rules request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Copyright IBM Corp. 2014, 2017 591

 Table 1151. GET /analytics/ade_rules response codes
HTTP Response
Code Unique Code Description
200 The ADE rules were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
ADE rules.

Response Description

An array of ADE Rule objects. An ADE Rule object contains the following fields:
v id - Long - The ID of the ADE rule.
v name - String - The name of the ADE rule.
v ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL,
THRESHOLD.
v enabled - Boolean - True if the ADE rule is enabled.
v owner - String - The owner of the ADE rule.

Response Sample
[
{
"enabled": true,
"id": 42,
"name": "String",
"owner": "String",
"type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>"
}
]

GET /analytics/ade_rules/{id}
Retrieves an ADE rule.

Retrieves an ADE rule.

Table 1152. GET /analytics/ade_rules/{id} resource details
MIME Type
application/json

Table 1153. GET /analytics/ade_rules/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

592 QRadar API Reference Guide

Table 1153. GET /analytics/ade_rules/{id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1154. GET /analytics/ade_rules/{id} response codes

HTTP Response
Code Unique Code Description
200 The ADE rule was retrieved.
404 1002 The ADE rule does not exist.
500 1020 An error occurred during the attempt to retrieve the
ADE rule.

Response Description

The ADE rule after it is retrieved. An ADE Rule object contains the following
fields:
v id - Long - The ID of the ADE rule.
v name - String - The name of the ADE rule.
v ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL,
THRESHOLD.
v enabled - Boolean - True if the ADE rule is enabled.
v owner - String - The owner of the ADE rule.

Response Sample
{
"enabled": true,
"id": 42,
"name": "String",
"owner": "String",
"type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>"
}

POST /analytics/ade_rules/{id}
Updates the ADE rule owner or enabled/disabled only.

Updates the ADE rule owner or enabled/disabled only.

Table 1155. POST /analytics/ade_rules/{id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 593

 Table 1156. POST /analytics/ade_rules/{id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1157. POST /analytics/ade_rules/{id} request body details

MIME
Parameter Data Type Type Description Sample
ade_rule Object application/ null { "id": "1", "name":
json "String", "type": "String",
"owner": "String" }

Table 1158. POST /analytics/ade_rules/{id} response codes

HTTP Response
Code Unique Code Description
200 The ADE rule was updated.
403 1009 You do not have the required capabilities to update
the ADE rule.
404 1002 The ADE rule does not exist.
409 1004 The provided user does not have the required
capabilities to own the ADE rule.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
ADE rule.

Response Description

The ADE rule after it is updated. An ADE Rule object contains the following fields:
v id - Long - The ID of the ADE rule.
v name - String - The name of the ADE rule.
v ade_rule_type - String - The type of ADE rule: ANOMALY, BEHAVIORAL,
THRESHOLD.
v enabled - Boolean - True if the ADE rule is enabled.
v owner - String - The owner of the ADE rule.

Response Sample
{
"enabled": true,
"id": 42,

594 QRadar API Reference Guide

 "name": "String",
"owner": "String",
"type": "String <one of: ANOMALY, BEHAVIORAL, THRESHOLD>"
}

DELETE /analytics/ade_rules/{id}
Deletes an ADE rule. To ensure safe deletion, a dependency check is carried out.
The check might take some time. An asynchronous task is started to do this check.

Deletes an ADE rule. To ensure safe deletion, a dependency check is carried out.
The check might take some time. An asynchronous task is started to do this check.
Table 1159. DELETE /analytics/ade_rules/{id} resource details
MIME Type
application/json

Table 1160. DELETE /analytics/ade_rules/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1161. DELETE /analytics/ade_rules/{id} response codes

HTTP Response
Code Unique Code Description
202 The ADE rule delete command was accepted and is
in progress.
403 1009 You do not have the required capabilities to delete
the ADE rule.
404 1002 The ADE rule does not exist.
500 1020 An error occurred during the attempt to delete the
ADE rule.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/analytics/ade_rules/ade_rule_delete_tasks/{task_id}". A Delete Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.

Chapter 7. Previous REST API versions 595

 v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/ade_rules/{id}/dependents
Retrieves the objects that depend on the ADE rule.

Retrieves the objects that depend on the ADE rule.

Table 1162. GET /analytics/ade_rules/{id}/dependents resource details
MIME Type
application/json

Table 1163. GET /analytics/ade_rules/{id}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

596 QRadar API Reference Guide

Table 1163. GET /analytics/ade_rules/{id}/dependents request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1164. GET /analytics/ade_rules/{id}/dependents response codes

HTTP Response
Code Unique Code Description
202 The ADE rule dependents retrieval was accepted
and is in progress.
404 1002 The ADE rule does not exist.
500 1020 An error occurred during the attempt to initiate the
ADE rule dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url
"/api/analytics/ade_rules/ade_rule_dependents_tasks/{task_id}". A Dependent
Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. the value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.

Chapter 7. Previous REST API versions 597

 sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,

598 QRadar API Reference Guide

 FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id}
Retrieves the delete the ADE rule task status.

Retrieves the delete ADE rule task status.

Table 1165. GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1166. GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1167. GET /analytics/ade_rules/ade_rule_delete_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the
Delete Task Status.

Chapter 7. Previous REST API versions 599

 Response Description

A Delete Task Status object and the location header set to the task status url
"/api/analytics/ade_rules/ade_rule_delete_tasks/{task_id}". A Delete Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}
Retrieves the dependent the ADE rule task status.

Retrieves the dependent ADE rule task status.

Table 1168. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1169. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

600 QRadar API Reference Guide

Table 1169. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request
parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1170. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the
Delete Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/analytics/ade_rules/ade_rule_dependent_tasks/{task_id}". A Dependent
Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects tha were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.

Chapter 7. Previous REST API versions 601

 sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,

602 QRadar API Reference Guide

 FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}
Cancels a dependent the ADE rule task.

Cancels a dependent ADE rule task.

Table 1171. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1172. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 603

 Table 1173. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} request body
details
MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Table 1174. POST /analytics/ade_rules/ade_rule_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Dependent Task Status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
Dependent Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/analytics/ade_rules/ade_rule_dependent_tasks/{task_id}". A Dependent
Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.

604 QRadar API Reference Guide

v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

Chapter 7. Previous REST API versions 605

 PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/
results
Retrieves the ADE rule dependent task results.

Retrieves the ADE rule dependent task results.

Table 1175. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results resource
details
MIME Type
application/json

Table 1176. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

606 QRadar API Reference Guide

Table 1177. GET /analytics/ade_rules/ade_rule_dependent_tasks/{task_id}/results response
codes
HTTP Response
Code Unique Code Description
200 The ADE rule dependents were retrieved.
404 1002 The dependent task dtatus does not exist.
500 1020 An error occurred during the attempt to retrieve the
ADE rules.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task
has permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of: ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP,
MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,

Chapter 7. Previous REST API versions 607

 EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE, REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /analytics/building_blocks
Retrieves a list of building block rules.

Retrieves a list of building block rules.

Table 1178. GET /analytics/building_blocks resource details
MIME Type
application/json

Table 1179. GET /analytics/building_blocks request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

608 QRadar API Reference Guide

Table 1179. GET /analytics/building_blocks request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1180. GET /analytics/building_blocks response codes

HTTP Response
Code Unique Code Description
200 The building block rules were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
building block rules.

Response Description

An array of Building Block Rule objects. An Building Block Rule object contains the
following fields:
v id - Long - The ID of the building block rule.
v name - String - The name of the building block rule.
v building_block_type - String - The type of building block rule: EVENT, FLOW,
COMMON, USER.
v enabled - Boolean - True if the building block rule is enabled.
v owner - String - The owner of the building block rule.
v origin - String - The origin of the building block rule: SYSTEM, OVERRIDE,
USER.

Response Sample
[
{
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}
]

GET /analytics/building_blocks/building_block_delete_tasks/
{task_id}
Retrieves the delete the building block rule task status.

Retrieves the delete building block rule task status.

Chapter 7. Previous REST API versions 609

 Table 1181. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} resource
details
MIME Type
application/json

Table 1182. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1183. GET /analytics/building_blocks/building_block_delete_tasks/{task_id} response

codes
HTTP Response
Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the
Delete Task Status.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/analytics/building_blocks/building_block_delete_tasks/{task_id}". A Delete
Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

610 QRadar API Reference Guide

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/building_blocks/building_block_dependent_tasks/
{task_id}
Retrieves the dependent the building block rule task status.

Retrieves the dependent building block rule task status.

Table 1184. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}
resource details
MIME Type
application/json

Table 1185. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}

request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 611

 Table 1186. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}
response codes
HTTP Response
Code Unique Code Description
200 The Delete Task Status was retrieved.
404 1002 The Delete Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the
Delete Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/analytics/building_blocks/building_block_dependent_tasks/{task_id}". A
Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

612 QRadar API Reference Guide

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,

Chapter 7. Previous REST API versions 613

 FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /analytics/building_blocks/
building_block_dependent_tasks/{task_id}
Cancels the dependent the building block rule task.

Cancels the dependent building block rule task.

Table 1187. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id}
resource details
MIME Type
application/json

Table 1188. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id}

request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1189. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id}

request body details
MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

614 QRadar API Reference Guide

Table 1190. POST /analytics/building_blocks/building_block_dependent_tasks/{task_id}
response codes
HTTP Response
Code Unique Code Description
200 The Delete Task Status has been retrieved.
404 1002 The Dependent Task Status does not exist.
409 1004 The task is in a completed state
422 1005 A request parameter is not valid
500 1020 An error occurred during the attempt to update the
Dependent Task Status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/analytics/building_blocks/building_block_dependent_tasks/{task_id}". A
Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation of
the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.

Chapter 7. Previous REST API versions 615

 completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,

616 QRadar API Reference Guide

 FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/building_blocks/building_block_dependent_tasks/
{task_id}/results
Retrieves the building block rule dependent task results.

Retrieves the building block rule dependent task results

Table 1191. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results
resource details
MIME Type
application/json

Table 1192. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results

request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1193. GET /analytics/building_blocks/building_block_dependent_tasks/{task_id}/results

response codes
HTTP Response
Code Unique Code Description
200 The building block rule dependents were retrieved.
404 1002 The Dependent Task Status does not exist.
500 1020 An error occurred during the attempt to retrieve the
building block rules.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource.

Chapter 7. Previous REST API versions 617

 v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task
has permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of: ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP,
MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE, REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

618 QRadar API Reference Guide

GET /analytics/building_blocks/{id}
Retrieves a building block rule.

Retrieves a building block rule.

Table 1194. GET /analytics/building_blocks/{id} resource details
MIME Type
application/json

Table 1195. GET /analytics/building_blocks/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1196. GET /analytics/building_blocks/{id} response codes

HTTP Response
Code Unique Code Description
200 The building block rule was retrieved.
404 1002 The building block rule does not exist.
500 1020 An error occurred during the attempt to retrieve the
building block rule.

Response Description

The building block rule after it is retrieved. An Building Block Rule object contains
the following fields:
v id - Long - The ID of the building block rule.
v name - String - The name of the building block rule.
v building_block_type - String - The type of building block rule: EVENT, FLOW,
COMMON, USER.
v enabled - Boolean - True if the building block rule is enabled.
v owner - String - The owner of the building block rule.
v origin - String - The origin of the building block rule: SYSTEM, OVERRIDE,
USER.

Response Sample
{
"enabled": true,
"id": 42,

Chapter 7. Previous REST API versions 619

 "name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}

POST /analytics/building_blocks/{id}
Updates the building block rule owner or enabled/disabled only.

Updates the building block rule owner or enabled/disabled only.

Table 1197. POST /analytics/building_blocks/{id} resource details
MIME Type
application/json

Table 1198. POST /analytics/building_blocks/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1199. POST /analytics/building_blocks/{id} request body details

MIME
Parameter Data Type Type Description Sample
building_block Object application/ null { "id": "1", "name":
json "String", "type": "String",
"owner": "String" }

Table 1200. POST /analytics/building_blocks/{id} response codes

HTTP Response
Code Unique Code Description
200 The building block rule was updated.
403 1009 You do not have the required capabilities to update
the building block rule.
404 1002 The building block rule does not exist.
409 1004 The provided user does not have the required
capabilities to own the building block rule.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
building block rule.

620 QRadar API Reference Guide

Response Description

The building block rule after it has been updated. An Building Block Rule object
contains the following fields:
v id - Long - The ID of the building block rule.
v name - String - The name of the building block rule.
v building_block_type - String - The type of building block rule: EVENT, FLOW,
COMMON, USER.
v enabled - Boolean - True if the building block rule is enabled.
v owner - String - The owner of the building block rule.
v origin - String - The origin of the building block rule: SYSTEM, OVERRIDE,
USER.

Response Sample
{
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}

DELETE /analytics/building_blocks/{id}
Deletes the building block rule. To ensure safe deletion, a dependency check is
carried out. This check might take some time. An asynchronous task is started for
this check.

Deletes the building block rule. To ensure safe deletion we check if anything
depends on it, this may take some time. Therefore we start an asynchronous task
to do this.
Table 1201. DELETE /analytics/building_blocks/{id} resource details
MIME Type
application/json

Table 1202. DELETE /analytics/building_blocks/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 621

 Table 1203. DELETE /analytics/building_blocks/{id} response codes
HTTP Response
Code Unique Code Description
202 The building block rule delete command was
accepted and is in progress.
403 1009 You do not have the required capabilities to delete
the building block rule.
404 1002 The building block rule does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
building block rule.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/analytics/building_blocks/building_block_delete_tasks/{task_id}". A Delete
Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

622 QRadar API Reference Guide

GET /analytics/building_blocks/{id}/dependents
Retrieves the objects that depend on the building block rule.

Retrieves the objects that depend on the building block rule

Table 1204. GET /analytics/building_blocks/{id}/dependents resource details
MIME Type
application/json

Table 1205. GET /analytics/building_blocks/{id}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1206. GET /analytics/building_blocks/{id}/dependents response codes

HTTP Response
Code Unique Code Description
202 The building block rule dependents retrieval was
accepted and is in progress.
404 1002 The building block rule does not exist.
500 1020 An error occurred during the attempt to initiate the
building block rule dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url
"/api/analytics/building_blocks/building_block_dependents_tasks/{task_id}". A
Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.

Chapter 7. Previous REST API versions 623

 v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. the value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,

624 QRadar API Reference Guide

 "status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/custom_actions/actions
Retrieves a list of available custom actions.

Retrieves a list of available custom actions.

Table 1207. GET /analytics/custom_actions/actions resource details
MIME Type
application/json

Table 1208. GET /analytics/custom_actions/actions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 7. Previous REST API versions 625

 Table 1208. GET /analytics/custom_actions/actions request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1209. GET /analytics/custom_actions/actions response codes

HTTP Response
Code Unique Code Description
200 The requested list of custom actions have been
successfully retrieved.
500 1020 An internal server error occurred while retrieving
custom actions.

Response Description

Array of available custom actions which in turn contain the following fields:
v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
[
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{

626 QRadar API Reference Guide

 "encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}
]

POST /analytics/custom_actions/actions
Creates a new custom action with the supplied fields.

Creates a new custom action with the supplied fields. The custom action must
contain the following fields:
v name - Required - String - Unique name of the custom action within the QRadar
deployment.
v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter
used by the custom action.
v script - Required - Number - Unique ID of the custom action script used by the
custom action.
v parameters - Required - Array - Array of custom action parameters contained
within the custom action. Each Custom action parameter must have the
following fields:
name - Required - String - Name of the custom action parameter. Unique in
the context of the parent custom action.
parameter_type - Required - String - Custom action parameter type. Can be
either fixed or dynamic.
encrypted - Required - Boolean - Designates whether the custom action
parameter value field is stored in an encrypted state.True if encrypted, false
otherwise.
value - Required - String - Value of the custom action parameter. Custom
action parameters with parameter_type fixed can have any value. Custom
action parameters with parameter_type dynamic must have values
corresponding to column names in an Ariel database, for example sourceip.
Ariel database column names are available through the /api/ariel/databases/
{database_name} endpoint.
Table 1210. POST /analytics/custom_actions/actions resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 627

 Table 1211. POST /analytics/custom_actions/actions request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1212. POST /analytics/custom_actions/actions request body details

MIME
Parameter Data Type Type Description Sample
custom_action Object application/ Custom action JSON { "description":
json object containing the "String", "interpreter":
supplied fields (see 42, "name": "String",
above for more "parameters": [ {
details). "encrypted": true,
"name": "String",
"parameter_type":
"String", "value":
"String" } ], "script": 42
}

Table 1213. POST /analytics/custom_actions/actions response codes

HTTP Response
Code Unique Code Description
201 A new custom action has been successfully created.
422 1005 One or more parameters are invalid in request.
500 1020 An internal server error occurred while posting
custom action.

Response Description

The newly created custom action with the following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
628 QRadar API Reference Guide
 parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

GET /analytics/custom_actions/actions/{action_id}
Retrieves a custom action based on the supplied action_id.

Retrieves a custom action based on the supplied action_id.

Table 1214. GET /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

Table 1215. GET /analytics/custom_actions/actions/{action_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
action_id path Required Number text/plain Long id of the custom
(Integer) action to be retrieved.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1216. GET /analytics/custom_actions/actions/{action_id} response codes

HTTP Response
Code Unique Code Description
200 The requested custom action has been successfully
retrieved.
404 1002 The requested custom action could not be found.

Chapter 7. Previous REST API versions 629

 Table 1216. GET /analytics/custom_actions/actions/{action_id} response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An internal server error occurred while retrieving
custom action with supplied action_id.

Response Description

A custom action with containing following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

POST /analytics/custom_actions/actions/{action_id}
Updates an existing custom action.

Updates an existing custom action. The custom action should contain the following
fields:
v id - Required - Number - Unique ID of the custom action within the QRadar
deployment.
v name - Optional - String - Unique name of the custom action within the QRadar
deployment.

630 QRadar API Reference Guide

v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter
used by the custom action.
v script - Required - Number - Unique ID of the custom action script used by the
custom action.
v parameters - Required - Array - Array of custom action parameters contained
within the custom action. Each Custom action parameter must have the
following fields:
name - Required - String - Name of the custom action parameter. Unique in
the context of the parent custom action.
parameter_type - Optional - String - Custom action parameter type. Can be
either fixed or dynamic.
encrypted - Optional - Boolean - Designates whether the custom action
parameter value field is stored in an encrypted state.True if encrypted, false
otherwise.
value - Optional - String - Value of the custom action parameter. Custom
action parameters with parameter_type fixed can have any value. Custom
action parameters with parameter_type dynamic must have values
corresponding to column names in an Ariel database, for example sourceip.
Ariel database column names are available through the /api/ariel/databases/
{database_name} endpoint.
Table 1217. POST /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

Table 1218. POST /analytics/custom_actions/actions/{action_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
action_id path Required Number text/plain Number id of the
(Integer) custom action to be
updated.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 631

 Table 1219. POST /analytics/custom_actions/actions/{action_id} request body details
MIME
Parameter Data Type Type Description Sample
custom_action Object application/ Custom action JSON { "description":
json object which can "String", "id": 42,
contain the supplied "interpreter": 42,
fields (see above for "name": "String",
more details). "parameters": [ {
"encrypted": true,
"name": "String",
"parameter_type":
"String", "value":
"String" } ], "script": 42
}

Table 1220. POST /analytics/custom_actions/actions/{action_id} response codes

HTTP Response
Code Unique Code Description
200 The custom action has been updated.
404 1002 The requested custom action could not be found.
422 1005 One or more parameters are invalid in request.
500 1020 An internal server error occurred while updating
custom action with supplied action_id.

Response Description

The updated custom action with the following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",

632 QRadar API Reference Guide

 "parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

DELETE /analytics/custom_actions/actions/{action_id}
Deletes an existing custom action.

Deletes an existing custom action.

Table 1221. DELETE /analytics/custom_actions/actions/{action_id} resource details
MIME Type
text/plain

Table 1222. DELETE /analytics/custom_actions/actions/{action_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
action_id path Required Number text/plain Number id of the
(Integer) custom action you wish
to delete.

Table 1223. DELETE /analytics/custom_actions/actions/{action_id} response codes

HTTP Response
Code Unique Code Description
204 The custom action has been deleted.
404 1002 The requested custom action could not be found.
500 1020 An internal server error occurred while deleting
custom action with supplied action_id.

Response Description

Empty response with 204 successful response code.

Response Sample

GET /analytics/custom_actions/interpreters
Retrieves a list of available custom action interpreters.

Retrieves a list of available custom action interpreters.

Table 1224. GET /analytics/custom_actions/interpreters resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 633

 Table 1225. GET /analytics/custom_actions/interpreters request parameter details
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1226. GET /analytics/custom_actions/interpreters response codes

HTTP Response
Code Unique Code Description
200 The requested list of custom action interpreters have
been retrieved.
500 1020 An internal server error occurred while retrieving
available custom action interpreters.

Response Description

Array of available custom action interpreters, each with the following fields:
v id - Number - Unique ID of the custom action interpreter within the QRadar
deployment.
v name - String - Name of the custom action interpreter.

Response Sample
[
{
"id": 42,
"name": "String"
}
]

GET /analytics/custom_actions/interpreters/{interpreter_id}
Retrieves a custom action interpreter based on supplied interpreter_id.

Retrieves a custom action interpreter based on supplied interpreter_id.

634 QRadar API Reference Guide
Table 1227. GET /analytics/custom_actions/interpreters/{interpreter_id} resource details
MIME Type
application/json

Table 1228. GET /analytics/custom_actions/interpreters/{interpreter_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
interpreter_id path Required Number text/plain Number id of custom
(Integer) action interpreter to
be retrieved.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get
back in the response.
Fields that are not
named are excluded.
Specify subfields in
brackets and multiple
fields in the same
object are separated
by commas.

Table 1229. GET /analytics/custom_actions/interpreters/{interpreter_id} response codes

HTTP Response
Code Unique Code Description
200 The requested custom action interpreter has been
retrieved.
404 1002 The requested custom action interpreter could not be
found.
500 1020 An internal server error occurred while retrieving
custom action interpreter with supplied
interpreter_id.

Response Description

A custom action interpreter with the following fields:

v id - Number - Unique ID of the custom action interpreter within the QRadar
deployment.
v name - String - Name of the custom action interpreter.

Response Sample
{
"id": 42,
"name": "String"
}

GET /analytics/custom_actions/scripts
Retrieves a list of meta-data for available custom action script files.

Retrieves a list of meta-data for available custom action script files.

Chapter 7. Previous REST API versions 635

 Table 1230. GET /analytics/custom_actions/scripts resource details
MIME Type
application/json

Table 1231. GET /analytics/custom_actions/scripts request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1232. GET /analytics/custom_actions/scripts response codes

HTTP Response
Code Unique Code Description
200 The requested custom action script file has been
retrieved.
500 1020 An internal server error occurred while retrieving
available custom action script file meta-data.

Response Description

Array of available custom action script file meta-data, each with the following
fields:
v id - Number - Unique ID of the custom action script file within the QRadar
deployment.
v name - String - Name of the custom action script file.

636 QRadar API Reference Guide

Response Sample
[
{
"file_name": "String",
"id": 42
}
]

POST /analytics/custom_actions/scripts
Creates a new custom action script file. Newly created custom action script files
require a deployment before using.

Creates a new custom action script file. Newly created custom action script files
require a deployment before using. Users can include an optional HTTP header
file_name containing the custom action script file name. If not specified this is
defaulted to the script id of the uploaded file.
Table 1233. POST /analytics/custom_actions/scripts resource details
MIME Type
application/json

Table 1234. POST /analytics/custom_actions/scripts request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1235. POST /analytics/custom_actions/scripts request body details

MIME
Parameter Data Type Type Description Sample
file File application/ Required. The custom File
octet-stream action script file. Must
be supplied with MIME
type
application/octet-stream.

Table 1236. POST /analytics/custom_actions/scripts response codes

HTTP Response
Code Unique Code Description
201 A custom action script file has been created.
500 1020 An internal server error occurred while posting
custom action script file.

Chapter 7. Previous REST API versions 637

 Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script within the QRadar
deployment.
v name - String - Name of the custom action script.

Response Sample
{
"file_name": "String",
"id": 42
}

GET /analytics/custom_actions/scripts/{script_id}
Retrieves meta-data of a custom action script file based on supplied script_id.

Retrieves meta-data of a custom action script file based on supplied script_id.

Table 1237. GET /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Table 1238. GET /analytics/custom_actions/scripts/{script_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
script_id path Required Number text/plain Number id of the
(Integer) custom action script
file.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1239. GET /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response
Code Unique Code Description
200 The requested custom action script file has been
retrieved.
404 1002 The requested custom action script file could not be
found.
500 1020 An internal server error occurred while retrieving
custom action script file meta-data with supplied
script_id.

638 QRadar API Reference Guide

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script file within the QRadar
deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

POST /analytics/custom_actions/scripts/{script_id}
Updates an existing custom action script file. Updated custom action script files
require a deployment before using.

Updates an existing custom action script file. Updated custom action script files
require a deployment before using. Users can include an optional HTTP header
file_name containing the custom action script file name. If not specified this is
defaulted to the script id of the uploaded file.
Table 1240. POST /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Table 1241. POST /analytics/custom_actions/scripts/{script_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
script_id path Required Number text/plain Number id of the
(Integer) custom action script file
to be updated.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1242. POST /analytics/custom_actions/scripts/{script_id} request body details

MIME
Parameter Data Type Type Description Sample
file File application/ Required. The custom File
octet-stream action script file. Must
be supplied with MIME
type
application/octet-stream.

Chapter 7. Previous REST API versions 639

 Table 1243. POST /analytics/custom_actions/scripts/{script_id} response codes
HTTP Response
Code Unique Code Description
200 The custom action script file has been updated.
404 1002 The requested custom action script file could not be
found.
500 1020 An internal server error occurred while updating
custom action script file with supplied script_id.

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script file within the QRadar
deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

DELETE /analytics/custom_actions/scripts/{script_id}
Deletes an existing custom action script file.

Deletes an existing custom action script file.

Table 1244. DELETE /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
text/plain

Table 1245. DELETE /analytics/custom_actions/scripts/{script_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
script_id path Required Number text/plain Number id of the
(Integer) custom action script file
to be deleted.

Table 1246. DELETE /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response
Code Unique Code Description
204 The custom action script file has been deleted.
404 1002 The requested custom action script file could not be
found.
422 1005 The requested custom action script file is tied to an
existing custom action.
500 1020 An internal server error occurred while deleting
custom action script file with supplied script_id.

640 QRadar API Reference Guide

Response Description

Empty response with a 204 successful response code.

Response Sample

GET /analytics/rule_groups
Retrieves a list of the rule groups.

Retrieves a list of the rule groups.

Table 1247. GET /analytics/rule_groups resource details
MIME Type
application/json

Table 1248. GET /analytics/rule_groups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1249. GET /analytics/rule_groups response codes

HTTP Response
Code Unique Code Description
200 The rule rroups were returned.
500 1020 An error occurred during the attempt to retrieve the
rule groups.

Chapter 7. Previous REST API versions 641

 Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /analytics/rule_groups/{group_id}
Retrieves a rule group.

Retrieves a rule group.

Table 1250. GET /analytics/rule_groups/{group_id} resource details
MIME Type
application/json

642 QRadar API Reference Guide

Table 1251. GET /analytics/rule_groups/{group_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1252. GET /analytics/rule_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The rule group was retrieved.
404 1002 The rule group does not exist.
500 1020 An error occurred during the attempt to retrieve the
rule group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,

Chapter 7. Previous REST API versions 643

 "level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /analytics/rule_groups/{group_id}
Updates the owner of a rule group.

Updates the owner of a rule group.

Table 1253. POST /analytics/rule_groups/{group_id} resource details
MIME Type
application/json

Table 1254. POST /analytics/rule_groups/{group_id} request parameter details

Data
Parameter Type Optionality Type MIME Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object
are separated by commas.

644 QRadar API Reference Guide

Table 1255. POST /analytics/rule_groups/{group_id} request body details
Parameter Data Type MIME Type Description Sample
group Object application/json Required - Group object {
with the owner set to a "child_groups": [ 42 ],
valid deployed user.
"child_items": [ "String" ],
"description": "String",
"id": 42,
"level": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH _GROUP,
FLOW_SAVED_SEARCH _GROUP,
OFFENSE_SAVED_SEARCH _GROUP,
QRM_SAVED_SEARCH _GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH
_GROUP,
SIMULATION_SAVED_SEARCH
_GROUP,
TOPOLOGY_SAVED_SEARCH
_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED _SEARCH
_GROUP>" }

Table 1256. POST /analytics/rule_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The rule group was updated.
404 1002 The rule group does not exist.
409 1004 The provided user does not have the required
capabilities to own the rule group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
rule group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).

Chapter 7. Previous REST API versions 645

 v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /analytics/rule_groups/{group_id}
Deletes a rule. To ensure safe deletion, a dependency check is carried out. This
check might take some time. An asynchronous task is started for this check.

Deletes a rule. To ensure safe deletion, a dependency check is carried out. This
check might take some time. An asynchronous task is started for this check.
Table 1257. DELETE /analytics/rule_groups/{group_id} resource details
MIME Type
text/plain

Table 1258. DELETE /analytics/rule_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

646 QRadar API Reference Guide

Table 1259. DELETE /analytics/rule_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
202 The rule delete command was accepted and is in
progress.
404 1002 The rule does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
rule.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/analytics/rules/rule_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample

GET /analytics/rules
Retrieves a list of rules.

Retrieves a list of rules

Table 1260. GET /analytics/rules resource details
MIME Type
application/json

Table 1261. GET /analytics/rules request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Chapter 7. Previous REST API versions 647

 Table 1261. GET /analytics/rules request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1262. GET /analytics/rules response codes

HTTP Response
Code Unique Code Description
200 The rules were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
rules.

Response Description

An array of Rule objects. An Rule object contains the following fields:

v id - Long - The ID of the rule.
v name - String - The name of the rule.
v type - String - The type of rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the rule is enabled.
v owner - String - The owner of the rule.
v origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.

Response Sample
[
{
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}
]

648 QRadar API Reference Guide

GET /analytics/rules/rule_delete_tasks/{task_id}
Retrieves the delete the rule task status.

Retrieves the delete rule task status.

Table 1263. GET /analytics/rules/rule_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1264. GET /analytics/rules/rule_delete_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1265. GET /analytics/rules/rule_delete_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/analytics/rules/rule_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Chapter 7. Previous REST API versions 649

 Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/rules/rule_dependent_tasks/{task_id}
Retrieves the dependent rule task status.

Retrieves the dependent rule task status.

Table 1266. GET /analytics/rules/rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1267. GET /analytics/rules/rule_dependent_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1268. GET /analytics/rules/rule_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

650 QRadar API Reference Guide

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/analytics/rules/rule_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation of
the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. the value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,

Chapter 7. Previous REST API versions 651

 "progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /analytics/rules/rule_dependent_tasks/{task_id}
Cancels the dependent the rule task.

Cancels the dependent rule task.

652 QRadar API Reference Guide

Table 1269. POST /analytics/rules/rule_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1270. POST /analytics/rules/rule_dependent_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1271. POST /analytics/rules/rule_dependent_tasks/{task_id} request body details

Data MIME
Parameter Type Type Description Sample
task Object application/null { "status": "String <one of: CANCELLED,
json CANCELING, CANCEL_REQUESTED,
COMPLETED, CONFLICT, EXCEPTION,
INITIALIZING, INTERRUPTED,
PAUSED, PROCESSING, QUEUED,
RESUMING>" }

Table 1272. POST /analytics/rules/rule_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/analytics/rules/rule_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.

Chapter 7. Previous REST API versions 653

 v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the
task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",

654 QRadar API Reference Guide

 "task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /analytics/rules/rule_dependent_tasks/{task_id}/results
Retrieves the rule dependent task results.

Retrieves the rule dependent task results.

Table 1273. GET /analytics/rules/rule_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 1274. GET /analytics/rules/rule_dependent_tasks/{task_id}/results request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 655

 Table 1274. GET /analytics/rules/rule_dependent_tasks/{task_id}/results request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1275. GET /analytics/rules/rule_dependent_tasks/{task_id}/results response codes

HTTP Response
Code Unique Code Description
200 The rule dependents were retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
rules.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task
has permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,

656 QRadar API Reference Guide

 QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP,
MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE, REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /analytics/rules/{id}
Retrieves a rule.

Retrieves a rule.
Table 1276. GET /analytics/rules/{id} resource details
MIME Type
application/json

Table 1277. GET /analytics/rules/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 657

 Table 1277. GET /analytics/rules/{id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1278. GET /analytics/rules/{id} response codes

HTTP Response
Code Unique Code Description
200 The rule was retrieved.
404 1002 The rule does not exist.
500 1020 An error occurred during the attempt to retrieve the
rule.

Response Description

The rule after it has been retrieved. An Rule object contains the following fields:
v id - Long - The ID of the rule.
v name - String - The name of the rule.
v type - String - The type of rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the rule is enabled.
v owner - String - The owner of the rule.
v origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.

Response Sample
{
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}

POST /analytics/rules/{id}
Updates the rule owner or enabled/disabled only.

Updates the rule owner or enabled/disabled only.

Table 1279. POST /analytics/rules/{id} resource details
MIME Type
application/json

658 QRadar API Reference Guide

Table 1280. POST /analytics/rules/{id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1281. POST /analytics/rules/{id} request body details

MIME
Parameter Data Type Type Description Sample
rule Object application/ Required - Rule object. { "enabled": true, "id":
json 42, "name": "String",
"origin": "String <one of:
SYSTEM, OVERRIDE,
USER>", "owner":
"String", "type": "String
<one of: EVENT, FLOW,
COMMON, OFFENSE>"
}

Table 1282. POST /analytics/rules/{id} response codes

HTTP Response
Code Unique Code Description
200 The rule was updated.
403 1009 You do not have the required capabilities to update
the rule.
404 1002 The rule does not exist.
409 1004 The provided user does not have the required
capabilities to own the rule.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
rule.

Response Description

The rule after it is updated. An Rule object contains the following fields:
v id - Long - The ID of the rule.
v name - String - The name of the rule.
v type - String - The type of rule: EVENT, FLOW, COMMON, USER.
v enabled - Boolean - True if the rule is enabled.
v owner - String - The owner of the rule.

Chapter 7. Previous REST API versions 659

 v origin - String - The origin of the rule: SYSTEM, OVERRIDE, USER.

Response Sample
{
"enabled": true,
"id": 42,
"name": "String",
"origin": "String <one of: SYSTEM, OVERRIDE, USER>",
"owner": "String",
"type": "String <one of: EVENT, FLOW, COMMON, OFFENSE>"
}

DELETE /analytics/rules/{id}
Delete the rule. To ensure safe deletion, a dependency check is carried out. This
check might take some time. An asynchronous task is started for this check.

Deletes a rule. To ensure safe deletion, a dependency check is carried out. This
check might take some time. An asynchronous task is started for this check.
Table 1283. DELETE /analytics/rules/{id} resource details
MIME Type
application/json

Table 1284. DELETE /analytics/rules/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1285. DELETE /analytics/rules/{id} response codes

HTTP Response
Code Unique Code Description
202 The rule delete command was accepted and is in
progress.
403 1009 You do not have the required capabilities to delete
the rule.
404 1002 The rule does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
rule.

660 QRadar API Reference Guide

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/analytics/rules/rule_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /analytics/rules/{id}/dependents
Retrieves the objects that depend on the rule.

Retrieves the objects that depend on the rule.

Table 1286. GET /analytics/rules/{id}/dependents resource details
MIME Type
application/json

Table 1287. GET /analytics/rules/{id}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 661

 Table 1287. GET /analytics/rules/{id}/dependents request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1288. GET /analytics/rules/{id}/dependents response codes

HTTP Response
Code Unique Code Description
202 The rule dependents retrieval was accepted and is in
progress.
403 1009 null
404 1002 The rule does not exist.
500 1020 An error occurred during the attempt to initiate the
rule dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url
"/api/analytics/rules/rule_dependents_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation of
the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. the value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of Task Component objects. A Task
Component object contains the following fields:
message - String - The localized sub-task status message.

662 QRadar API Reference Guide

 status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:

Chapter 7. Previous REST API versions 663

 FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

Ariel endpoints
Use the references for REST API V7.0 Ariel endpoints.

GET /ariel/databases
Retrieves a list of available Ariel database names

Retrieves a list of available Ariel databases.

Table 1289. GET /ariel/databases resource details
MIME Type
application/json

Table 1290. GET /ariel/databases request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 1291. GET /ariel/databases response codes

HTTP Response
Code Unique Code Description
200 The database list was retrieved.

664 QRadar API Reference Guide

Response Description

The names of the available Ariel databases.

Response Sample
[
"String"
]

GET /ariel/databases/{database_name}
Retrieves the columns that are defined for a specific Ariel database.

Retrieves the columns that are defined for the specified Ariel database. This is the
set of columns that can be explicitly named in the column list of a SELECT query.
Table 1292. GET /ariel/databases/{database_name} resource details
MIME Type
application/json

Table 1293. GET /ariel/databases/{database_name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
database_name path Required String text/plain Required. The name of
the Ariel database that
contains the columns
that you want to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in a
list base on the contents
of various fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements that
are returned in the list to
a specified range. The
list is indexed starting at
zero.

Table 1294. GET /ariel/databases/{database_name} response codes

HTTP Response
Code Unique Code Description
200 The database columns were retrieved.
404 1002 The database does not exist.

Chapter 7. Previous REST API versions 665

 Response Description

A list of columns that are defined for the specified database. Multiple properties of
each column are returned. For example, the column name or an indication that the
column is indexable.

Response Sample
{
"columns": [
{
"argument_type": "String",
"indexable": true,
"name": "String"
}
]
}

GET /ariel/event_saved_search_groups
Retrieves a list the event Ariel saved search groups.

Retrieves a list the event Ariel saved search groups.

Table 1295. GET /ariel/event_saved_search_groups resource details
MIME Type
application/json

Table 1296. GET /ariel/event_saved_search_groups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

666 QRadar API Reference Guide

Table 1297. GET /ariel/event_saved_search_groups response codes
HTTP Response
Code Unique Code Description
200 The event Ariel saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the
event Ariel saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group ids.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

Chapter 7. Previous REST API versions 667

 GET /ariel/event_saved_search_groups/{group_id}
Retrieves an event Ariel saved search group.

Retrieves an event Ariel saved search group.

Table 1298. GET /ariel/event_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1299. GET /ariel/event_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1300. GET /ariel/event_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The event Ariel saved search group was retrieved.
404 1002 The vent Ariel saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the
event Ariel saved search groups.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

668 QRadar API Reference Guide

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /ariel/event_saved_search_groups/{group_id}
Updates the owner of an event Ariel saved search group.

Updates the owner of an event Ariel saved search group.

Table 1301. POST /ariel/event_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1302. POST /ariel/event_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 669

 Table 1303. POST /ariel/event_saved_search_groups/{group_id} request body details
MIME
Parameter Data Type Type Description Sample
group Object application/Required - Group {
json object with the "child_groups": [ 42 ],
owner set to a valid
deployed user. "child_items": [ "String" ],
"description": "String",
"id": 42,
"level": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH _GROUP,
FLOW_SAVED_SEARCH _GROUP,
OFFENSE_SAVED_SEARCH _GROUP,
QRM_SAVED_SEARCH _GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH
_GROUP,
SIMULATION_SAVED_SEARCH
_GROUP,
TOPOLOGY_SAVED_SEARCH
_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED _SEARCH
_GROUP>" }

Table 1304. POST /ariel/event_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The event Ariel saved search group was updated.
404 1002 The event Ariel saved search group does not exist.
409 1004 The provided user does not have the required
capabilities to own the Eevent Ariel saved search
group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
event Ariel saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The id of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.

670 QRadar API Reference Guide

v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group ids.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /ariel/event_saved_search_groups/{group_id}
Deletes an event Ariel saved search group.

Deletes an event Ariel saved search group.

Table 1305. DELETE /ariel/event_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 1306. DELETE /ariel/event_saved_search_groups/{group_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 671

 Table 1307. DELETE /ariel/event_saved_search_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
204 The event Ariel saved search group was deleted.
404 1002 The event Ariel saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete
theevent Ariel saved search group.

Response Description

Response Sample

GET /ariel/flow_saved_search_groups
Retrieves a list of flow Ariel saved search groups.

Retrieves a list of flow Ariel saved search groups.

Table 1308. GET /ariel/flow_saved_search_groups resource details
MIME Type
application/json

Table 1309. GET /ariel/flow_saved_search_groups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

672 QRadar API Reference Guide

Table 1310. GET /ariel/flow_saved_search_groups response codes
HTTP Response
Code Unique Code Description
200 The Retrieves a list of flow Ariel saved search
groups were returned.
500 1020 An error occurred during the attempt to retrieve the
flow Ariel saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

Chapter 7. Previous REST API versions 673

 GET /ariel/flow_saved_search_groups/{group_id}
Retrieves a flow Ariel saved search group.

Retrieves a flow Ariel saved search group.

Table 1311. GET /ariel/flow_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1312. GET /ariel/flow_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1313. GET /ariel/flow_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The flow Ariel saved search group was retrieved.
404 1002 The flow Ariel saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the
flow Ariel saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

674 QRadar API Reference Guide

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /ariel/flow_saved_search_groups/{group_id}
Updates the owner of a flow Ariel saved search group.

Updates the owner of a flow Ariel saved search group.

Table 1314. POST /ariel/flow_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1315. POST /ariel/flow_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 675

 Table 1316. POST /ariel/flow_saved_search_groups/{group_id} request body details
MIME
Parameter Data Type Type Description Sample
group Object application/Required - Group {
json object with the "child_groups": [ 42 ],
owner set to a valid
deployed user. "child_items": [ "String" ],
"description": "String",
"id": 42,
"level": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH _GROUP,
FLOW_SAVED_SEARCH _GROUP,
OFFENSE_SAVED_SEARCH _GROUP,
QRM_SAVED_SEARCH _GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH
_GROUP,
SIMULATION_SAVED_SEARCH
_GROUP,
TOPOLOGY_SAVED_SEARCH
_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED _SEARCH
_GROUP>" }

Table 1317. POST /ariel/flow_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The flow Ariel saved search group was updated.
404 1002 The flow Ariel saved search group does not exist.
409 1004 The provided user does not have the required
capabilities to own the flow Ariel saved search
group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
flow Ariel saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.

676 QRadar API Reference Guide

v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /ariel/flow_saved_search_groups/{group_id}
Deletes a flow Ariel saved search group.

Deletes a flow Ariel saved search group.

Table 1318. DELETE /ariel/flow_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 1319. DELETE /ariel/flow_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 677

 Table 1320. DELETE /ariel/flow_saved_search_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
204 The flow Ariel saved search group was deleted.
404 1002 The flow Ariel saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
flow Ariel saved search group.

Response Description

Response Sample

GET /ariel/saved_search_delete_tasks/{task_id}
Retrieves the delete the Ariel saved search task status.

Retrieves the delete Ariel saved search task status.

Table 1321. GET /ariel/saved_search_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1322. GET /ariel/saved_search_delete_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1323. GET /ariel/saved_search_delete_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status was exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

678 QRadar API Reference Guide

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/ariel/saved_search_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /ariel/saved_search_dependent_tasks/{task_id}
Retrieves the dependent the Ariel saved search task status.

Retrieves the dependent Ariel saved search task status.

Table 1324. GET /ariel/saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1325. GET /ariel/saved_search_dependent_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 679

 Table 1325. GET /ariel/saved_search_dependent_tasks/{task_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1326. GET /ariel/saved_search_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/ariel/saved_search_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the
task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.

680 QRadar API Reference Guide

 sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,

Chapter 7. Previous REST API versions 681

 FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /ariel/saved_search_dependent_tasks/{task_id}
Cancels the dependent Ariel saved search task.

Cancels the dependent Ariel saved search task.

Table 1327. POST /ariel/saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1328. POST /ariel/saved_search_dependent_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

682 QRadar API Reference Guide

Table 1329. POST /ariel/saved_search_dependent_tasks/{task_id} request body details
MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Table 1330. POST /ariel/saved_search_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/ariel/saved_search_dependent_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state that the task is in.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the
task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. the vaalue is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.

Chapter 7. Previous REST API versions 683

 v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

684 QRadar API Reference Guide

 PROCESSING,
QUEUED,
RESUMING>"
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /ariel/saved_search_dependent_tasks/{task_id}/results
Retrieves the Ariel saved search dependent task results.

Retrieves the Ariel saved search dependent task results.

Table 1331. GET /ariel/saved_search_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 1332. GET /ariel/saved_search_dependent_tasks/{task_id}/results request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1333. GET /ariel/saved_search_dependent_tasks/{task_id}/results response codes

HTTP Response
Code Unique Code Description
200 The Ariel saved search dependents were retrieved.
404 1002 The Dependent Task Status does not exist.

Chapter 7. Previous REST API versions 685

 Table 1333. GET /ariel/saved_search_dependent_tasks/{task_id}/results response
codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the
Ariel saved searches.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource. ( Default
resources can have localized names )
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task
has permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,

686 QRadar API Reference Guide

 DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /ariel/saved_searches
Retrieves a list of Ariel saved searches.

Retrieves a list of Ariel saved searches.

Table 1334. GET /ariel/saved_searches resource details
MIME Type
application/json

Table 1335. GET /ariel/saved_searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Chapter 7. Previous REST API versions 687

 Table 1336. GET /ariel/saved_searches response codes
HTTP Response
Code Unique Code Description
200 The Ariel saved searches were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
Ariel Saved Searches.

Response Description

An array of Ariel Saved Search objects. An Ariel Saved Search object contains the
following fields:
v id - Long - The ID of the ariel saved search.
v uuid - String - The uuid of the Ariel saved search.
v name - String - The name of the Ariel saved search.
v database - String - The database of the Ariel saved search, events or flows.
v isShared - Boolean - True if the Ariel saved search is shared with other users.
v owner - String - The owner of the Ariel saved search.

Response Sample
[
{
"database": "String <one of: EVENTS, FLOWS>",
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String",
"uid": "String"
}
]

GET /ariel/saved_searches/{id}
Retrieves an Ariel saved search.

Retrieves an Ariel saved search.

Table 1337. GET /ariel/saved_searches/{id} resource details
MIME Type
application/json

Table 1338. GET /ariel/saved_searches/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

688 QRadar API Reference Guide

Table 1338. GET /ariel/saved_searches/{id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1339. GET /ariel/saved_searches/{id} response codes

HTTP Response
Code Unique Code Description
200 The Ariel saved search was retrieved.
404 1002 The Ariel saved search does not exist.
500 1020 An error occurred during the attempt to retrieve the
Ariel Saved Search.

Response Description

The Ariel saved search after it is retrieved. An Ariel Saved Search object contains
the following fields:
v id - Long - The ID of the Ariel saved search.
v uuid - String - The uuid of the Ariel saved search.
v name - String - The name of the Ariel saved search.
v database - String - The database of the Ariel saved search, events or flows.
v isShared - Boolean - True if the Ariel saved search is shared with other users.
v owner - String - The owner of the Ariel saved search.

Response Sample
{
"database": "String <one of: EVENTS, FLOWS>",
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String",
"uid": "String"
}

POST /ariel/saved_searches/{id}
Updates the Ariel saved search owner only.

Updates the Ariel saved search owner only.

Table 1340. POST /ariel/saved_searches/{id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 689

 Table 1341. POST /ariel/saved_searches/{id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1342. POST /ariel/saved_searches/{id} request body details

MIME
Parameter Data Type Type Description Sample
saved_search Object application/ null { "id": "1", "name":
json "String", "database":
"String", "is_shared":
true, "owner": "String"
}

Table 1343. POST /ariel/saved_searches/{id} response codes

HTTP Response
Code Unique Code Description
200 The Ariel saved search was updated.
403 1009 You do not have the required capabilities to update
the Ariel Saved Search.
404 1002 The Ariel saved search does not exist.
409 1004 The provided user does not have the required
capabilities to own the Ariel saved search.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
Ariel Saved Search.

Response Description

The Ariel saved search after it has been updated. An Ariel Saved Search object
contains the following fields:
v id - Long - The ID of the Ariel saved search.
v uuid - String - The uuid of the Ariel saved search.
v name - String - The name of the Ariel saved search.
v database - String - The database of the Ariel saved search, events or flows.
v isShared - Boolean - True if the Ariel saved search is shared with other users.
v owner - String - The owner of the Ariel saved search.

690 QRadar API Reference Guide

Response Sample
{
"database": "String <one of: EVENTS, FLOWS>",
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String",
"uid": "String"
}

DELETE /ariel/saved_searches/{id}
Deletes an Ariel saved search. To ensure safe deletion, a dependency check is
carried out. The check might take some time. An asynchronous task is started to
do this check.

Deletes an Ariel saved search. To ensure safe deletion, a dependency check is

carried out. The check might take some time. An asynchronous task is started to
do this check.
Table 1344. DELETE /ariel/saved_searches/{id} resource details
MIME Type
application/json

Table 1345. DELETE /ariel/saved_searches/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1346. DELETE /ariel/saved_searches/{id} response codes

HTTP Response
Code Unique Code Description
202 The Ariel saved search delete command was
accepted and is in progress.
403 1009 You do not have the required capabilities to delete
the Ariel saved search.
404 1002 The Ariel saved search does not exist.
500 1020 An error occurred during the attempt to delete the
Ariel Saved Search.

Chapter 7. Previous REST API versions 691

 Response Description

A Delete Task Status object and the location header set to the task status url
"/api/ariel/saved_search_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /ariel/saved_searches/{id}/dependents
Retrieves the objects that depend on the Ariel saved search.

Retrieves the objects that depend on the Ariel saved search.

Table 1347. GET /ariel/saved_searches/{id}/dependents resource details
MIME Type
application/json

Table 1348. GET /ariel/saved_searches/{id}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

692 QRadar API Reference Guide

Table 1348. GET /ariel/saved_searches/{id}/dependents request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1349. GET /ariel/saved_searches/{id}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Ariel saved search dependents retrieval was
accepted and is in progress
404 1002 The Ariel saved search does not exist
500 1020 An error occurred during the attempt to initiate the
Ariel Saved Search dependents retrieval task

Response Description

A Dependents Task Status object and the location header set to the task status url
"/api/ariel/saved_search_dependents_tasks/{task_id}". A Dependent Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.

Chapter 7. Previous REST API versions 693

 sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,

694 QRadar API Reference Guide

 FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /ariel/searches
Retrieves the list of Ariel searches. Search IDs for completed and active searches
are returned.

Retrieves the list of Ariel searches. This includes search IDs for completed and
active searches.
Table 1350. GET /ariel/searches resource details
MIME Type
application/json

Table 1351. GET /ariel/searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
db_name query Optional String text/plain Optional - The name of
the Ariel database to
retrieve the list of Ariel
searches.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 1352. GET /ariel/searches response codes

HTTP Response
Code Unique Code Description
200 The search list was retrieved.

Chapter 7. Previous REST API versions 695

 Table 1352. GET /ariel/searches response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred during the attempt to retrieve the
list of searches.
503 1010 The ariel server might be temporarily unavailable or
offline. Please try again later.

Response Description

A list of search IDs.

Response Sample
[
"String"
]

POST /ariel/searches
Creates a new asynchronous Ariel search.

Creates a new Ariel search as specified by the Ariel Query Language (AQL) query
expression. Searches are executed asynchronously. A reference to the search ID is
returned and should be used in subsequent API calls to determine the status of the
search and retrieve the results once it is complete.

This endpoint only accepts SELECT query expressions.

Queries are applied to the range of data in a certain time interval. By default this
time interval is the last 60 seconds. An alternative time interval can be specified by
specifying them as part of the query expression. For further information, see the
AQL reference guide.
Table 1353. POST /ariel/searches resource details
MIME Type
application/json

Table 1354. POST /ariel/searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
query_expression query Required String text/plain Required - The AQL
query to execute.

Table 1355. POST /ariel/searches response codes

HTTP Response
Code Unique Code Description
201 A new Ariel search was successfully created.
409 1004 The search cannot be created. The requested search
ID that was provided in the query expression is
already in use. Please use a unique search ID (or
allow one to be generated).
422 2000 The query_expression contains invalid AQL syntax.
422 1005 A request parameter is not valid.

696 QRadar API Reference Guide

Table 1355. POST /ariel/searches response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred during the attempt to create a
new search.
503 1010 The Ariel server might be temporarily unavailable or
offline. Please try again later.

Response Description

Information about the specified search, including the search ID. Use the search ID
to access or manipulate the search with the other API endpoints. If the exact search
being created was already recently created, the response message will return a
reference to the original search ID rather than creating a new search.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"

Chapter 7. Previous REST API versions 697

 },
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

GET /ariel/searches/{search_id}
Retrieves information about an Ariel search.

Retrieve status information for a search, based on the search ID parameter. The
same informational fields are returned regardless of whether the search is in
progress or is complete.
Table 1356. GET /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 1357. GET /ariel/searches/{search_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain Required. The identifier
for an Ariel search.

Table 1358. GET /ariel/searches/{search_id} response codes

HTTP Response
Code Unique Code Description
200 The search information was retrieved.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
search information.
503 1010 The Ariel server might be temporarily unavailable or
offline. Please try again later.

Response Description

Information about the specified search, including the search status.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,

698 QRadar API Reference Guide

 "error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

POST /ariel/searches/{search_id}
Updates an Ariel search.

Updates details for an Ariel search. You can update searches in the following ways:
v To cancel an active search, set the status parameter to CANCELED. This stops
the search and keeps any search results that were collected before the search was
canceled.
v The results for a completed search can be saved by setting the save_results
parameter to true. This ensures that the search is not automatically removed
when it expires in accordance with the retention policy.

The Ariel server uses an internal retention policy to manage available disk space.
Searches might be deleted automatically, according to the settings of the retention

Chapter 7. Previous REST API versions 699

 policy. Searches with saved results are not automatically reclaimed by the server
and are therefore retained. A search can be explicitly deleted by using the DELETE
/searches/{search_id} endpoint.

Note: Saving too many search results might result in insufficient disk space to
process new searches.
Table 1359. POST /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 1360. POST /ariel/searches/{search_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain Required. The ID of the
search to update.
status query Optional String text/plain Optional. The only
accepted value is
CANCELED. If this
value is provided, the
search is canceled.
save_results query Optional String text/plain Optional. The only
accepted value is true.
If this value is
provided, the search
results are not deleted
by the search expiration
removal process. If
status parameter was
provided, this
parameter is not
checked and silently
ignored.

Table 1361. POST /ariel/searches/{search_id} response codes

HTTP Response
Code Unique Code Description
200 The search was updated.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
search.
503 1010 The Ariel server might be temporarily unavailable or
offline. Please try again later.

Response Description

Information about the specified search that was updated.

700 QRadar API Reference Guide

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,
0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

DELETE /ariel/searches/{search_id}
Deletes an Ariel search.

Chapter 7. Previous REST API versions 701

 Deletes an Ariel search. This discards any results that were collected and stops the
search if it is in progress. This search is deleted regardless of whether the results
were saved.
Table 1362. DELETE /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 1363. DELETE /ariel/searches/{search_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain Required - The search
ID of the search to
delete.

Table 1364. DELETE /ariel/searches/{search_id} response codes

HTTP Response
Code Unique Code Description
202 The delete request has been accepted.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to delete the
search.
503 1010 The ariel server might be temporarily unavailable or
offline. Please try again later.

Response Description

Information about the deleted search.

Response Sample
{
"cursor_id": "s16",
"compressed_data_file_count": 0,
"compressed_data_total_size": 0,
"data_file_count": 5470,
"data_total_size": 67183115,
"index_file_count": 0,
"index_total_size": 0,
"processed_record_count": 1256462,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"desired_retention_time_msec": 86400000,
"progress": 46,
"progress_details": [
0,
0,
0,

702 QRadar API Reference Guide

 0,
66957,
652657,
76594,
89809,
86032,
107729
],
"query_execution_time": 1480,
"query_string": "SELECT sourceip, starttime from events
into s16 where sourceip
in (select destinationip from events)
parameters snapshotsize=2, PROGRESSDETAILSRESOLUTION=10",
"record_count": 1240923,
"save_results": false,
"status": "EXECUTE",
"snapshot": {
"events": [
{
"sourceip": "10.100.65.20",
"starttime": "1467049610018"
},
{
"sourceip": "10.100.100.121",
"starttime": "1467049610019"
}
]
},
"subsearch_ids": [
"sub_id_1"
],
"search_id": "s16"
}

GET /ariel/searches/{search_id}/results
Retrieves search results in the requested format.

Retrieve the results of the Ariel search that is identified by the search ID. The
Accepts request header indicates the format of the result. The formats are RFC
compliant and can be JSON, CSV, XML, or tabular text.

By default, all query result records are returned. To restrict the results to a
contiguous subset of the records, you can supply a Range header to specify the
inclusive range of records to be returned.

This end-point works with query results that are generated by AQL query
expressions. This endpoint might not work as expected for results that are
generated by other means. Search results might not be retrievable for searches that
are created on the Console.

The response samples are for the following query: Select sourceIP, destinationIP
from events.
Table 1365. GET /ariel/searches/{search_id}/results resource details
MIME Type
application/json application/csv text/table application/xml

Chapter 7. Previous REST API versions 703

 Table 1366. GET /ariel/searches/{search_id}/results request parameter details
MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain The ID of the search
criteria for the returned
results.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 1367. GET /ariel/searches/{search_id}/results response codes

HTTP Response
Code Unique Code Description
200 The search results were retrieved.
404 1002 The search does not exist.
404 1003 Search results not found. The search is still in
progress.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
search results.
503 1010 The Ariel server might be temporarily unavailable or
offline. Please try again later.

Response Description

The search results for the specified search ID. The format that is used to
encapsulate the data depends on the format specified in the Accept header for this
request.

Response Sample
{
"events": [
{
"sourceIP": "1.1.1.1",
"destinationIP": "127.0.0.1"
},
{
"sourceIP": "1.1.1.1",
"destinationIP": "127.0.0.1"
}
]
}

Asset model endpoints

Use the references for REST API V7.0 Asset Model endpoints.

704 QRadar API Reference Guide

GET /asset_model/assets
List all assets found in the model.
Table 1368. GET /asset_model/assets resource details
MIME Type
application/json

Table 1369. GET /asset_model/assets request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1370. GET /asset_model/assets response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve assets completed successfully.
500 1020 The server encountered an error while trying to
retrieve the assets.

Response Description

List of assets retrieved using the associated asset saved search.

Response Sample
[{"id": 42,
"domain_id": 42,
"interfaces": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"last_seen_profiler": 42,

Chapter 7. Previous REST API versions 705

 "last_seen_scanner": 42,
"mac_address": "String",
"ip_addresses": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"network_id": 42,
"value": "String",
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"type": "String"}]
}],
"properties": [{"id": 42,
"name": "String",
"value": "String",
"last_reported": 42,
"type_id": 42,
"last_reported_by": "String"}]
}]

POST /asset_model/assets/{asset_id}
Update an asset with several pertinent pieces of information.

The asset_id tag is mandatory, and is the unique identifier for an asset. This field
is available through the /asset_model/assets or /asset_model/saved_searches/
{saved_search_id}/results query. To update properties, the property type ID which
is available through the /asset_model/properties query must be provided along
with the new value. See the sample provided demonstrating an example asset
update.
Table 1371. POST /asset_model/assets/{asset_id} resource details
MIME Type
text/plain

Table 1372. POST /asset_model/assets/{asset_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
asset_id path Required String text/plain Unique identifier of the
asset to update.

Table 1373. POST /asset_model/assets/{asset_id} request body details

Parameter Data Type MIME Type Description Sample
asset JSON application/json JSON representation of { "properties": [ {
an asset. "type_id": 1001, "value":
"given name value" }, {
"type_id": 1002, "value":
"unified name value" } ]
}

Table 1374. POST /asset_model/assets/{asset_id} response codes

HTTP Response
Code Unique Code Description
202 The request to update the asset was successful. The
update will take place when the asset profile
application receives the request.
422 1005 One or more of the requested property updates were
invalid.

706 QRadar API Reference Guide

Table 1374. POST /asset_model/assets/{asset_id} response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 The server encountered an error registering the
update with the asset profile application.

Response Description

Information about the asset that was updated.

Response Sample
String

GET /asset_model/properties
Get a list of available asset property types that can be used.

Get a list of available asset property types that can be used or applied against the
/asset_model/assets endpoint.
Table 1375. GET /asset_model/properties resource details
MIME Type
application/json

Table 1376. GET /asset_model/properties request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 7. Previous REST API versions 707

 Table 1377. GET /asset_model/properties response codes
HTTP Response
Code Unique Code Description
200 The request to retrieve the list of asset property
types completed successfully.
500 1020 An error occurred while trying to retrieve the list of
asset property types.

Response Description

List of asset properties. Per asset property type: id and name that make up this
asset property type.

Response Sample
[
{
"custom": true,
"data_type": "String",
"display": true,
"id": 42,
"name": "String",
"state": 42
}
]

GET /asset_model/saved_search_groups
Retrieves a list the asset saved search groups.

Retrieves a list the asset saved search groups.

Table 1378. GET /asset_model/saved_search_groups resource details
MIME Type
application/json

Table 1379. GET /asset_model/saved_search_groups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

708 QRadar API Reference Guide

Table 1379. GET /asset_model/saved_search_groups request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1380. GET /asset_model/saved_search_groups response codes

HTTP Response
Code Unique Code Description
200 The asset saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the
asset saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,

Chapter 7. Previous REST API versions 709

 EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /asset_model/saved_search_groups/{group_id}
Retrieves an asset saved search group.

Retrieves an asset saved search group.

Table 1381. GET /asset_model/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1382. GET /asset_model/saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1383. GET /asset_model/saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The asset saved search group was retrieved.
404 1002 The asset saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the
asset saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The id of the parent group. ( Default resources can have
localized names )
v type - String - The type of the group.

710 QRadar API Reference Guide

v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group. ( Default groups can have localized
names )
v description - String - The description of the group. ( Default groups can have
localized names )
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /asset_model/saved_search_groups/{group_id}
Updates the owner of an asset saved search group.

Updates the owner of an asset saved search group.

Table 1384. POST /asset_model/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1385. POST /asset_model/saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 711

 Table 1385. POST /asset_model/saved_search_groups/{group_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1386. POST /asset_model/saved_search_groups/{group_id} request body details

MIME
Parameter Data Type Type Description Sample
group Object application/ Required - Group object { "child_groups": [ 42 ], "child_items": [ "String"
json with the owner set to a ], "description": "String", "id": 42, "level": 42,
valid deployed user. "name": "String", "owner": "String", "parent_id":
42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Table 1387. POST /asset_model/saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The asset saved search group has been updated.
404 1002 The asset saved search group does not exist.
409 1004 The provided user does not have the required
capabilities to own the asset saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
asset saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.

712 QRadar API Reference Guide

v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /asset_model/saved_search_groups/{group_id}
Deletes an asset saved search group.

Deletes an asset saved search group.

Table 1388. DELETE /asset_model/saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 1389. DELETE /asset_model/saved_search_groups/{group_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 713

 Table 1390. DELETE /asset_model/saved_search_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
204 The asset saved search group was deleted.
404 1002 The asset saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
asset saved search group.

Response Description

Response Sample

GET /asset_model/saved_searches
Get a list of saved searches that can be used.

Get a list of saved searches that can be used or applied against the
/asset_model/saved_searches/{saved_search_id}/results query.
Table 1391. GET /asset_model/saved_searches resource details
MIME Type
application/json

Table 1392. GET /asset_model/saved_searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

714 QRadar API Reference Guide

Table 1393. GET /asset_model/saved_searches response codes
HTTP Response
Code Unique Code Description
200 The request to retrieve the list of saved searches
completed successfully.
500 1020 The server encountered an error while trying to
retrieve the list of saved searches.

Response Description

List of saved searches. Per saved search: id, name and list of filters that make up
this saved search

Response Sample
[
{
"columns": [
{
"name": "String",
"type": "String"
}
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}
]

GET /asset_model/saved_searches/{saved_search_id}
Retrieves an asset saved search.

Retrieves an asset saved search.

Table 1394. GET /asset_model/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 1395. GET /asset_model/saved_searches/{saved_search_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 715

 Table 1395. GET /asset_model/saved_searches/{saved_search_id} request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 1396. GET /asset_model/saved_searches/{saved_search_id} response codes

HTTP Response
Code Unique Code Description
200 The asset saved search was retrieved,
404 1002 The asset saved search does not exist,
500 1020 An error occurred during the attempt to retrieve the
asset saved search,

Response Description

The asset saved search after it is retrieved. An Asset Saved Search object contains
the following fields:
v id - Long - The ID of the asset saved search.
v name - String - The name of the asset saved search.
v owner - String - The owner of the asset saved search.
v isShared - Boolean - True if the asset saved search is shared with other users.
v description - String - The description of the asset saved search.
v filters - List of Strings - The asset saved search filters.
v columns - List of Strings - The asset saved search columns.

Response Sample
{
"columns": [
{
"name": "String",
"type": "String"
}
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String"
}

716 QRadar API Reference Guide

POST /asset_model/saved_searches/{saved_search_id}
Updates the asset saved search owner only.

Updates the asset saved search owner only.

Table 1397. POST /asset_model/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 1398. POST /asset_model/saved_searches/{saved_search_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 1399. POST /asset_model/saved_searches/{saved_search_id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/ null { "columns": [ { "name":
json "String", "type": "String" }
], "description": "String",
"filters": [ { "operator":
"String", "parameter":
"String", "value": "String"
} ], "id": 42, "is_shared":
true, "name": "String",
"owner": "String" }

Table 1400. POST /asset_model/saved_searches/{saved_search_id} response codes

HTTP Response
Code Unique Code Description
200 The asset saved search was updated.
403 1009 You do not have the required capabilities to update
the asset saved search.
404 1002 The asset saved search does not exist.
409 1004 The provided user does not have the required
capabilities to own the asset saved search.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
asset saved search.

Chapter 7. Previous REST API versions 717

 Response Description

The asset saved search after it is updated. An Asset Saved Search object contains
the following fields:
v id - Long - The ID of the asset saved search.
v name - String - The name of the asset saved search.
v owner - String - The owner of the asset saved search.
v isShared - Boolean - True if the asset saved search is shared with other users.
v description - String - The description of the asset saved search.
v filters - List of Strings - The asset saved search filters.
v columns - List of Strings - The asset saved search columns.

Response Sample
{
"columns": [
{
"name": "String",
"type": "String"
}
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"is_shared": true,
"name": "String",
"owner": "String"
}

DELETE /asset_model/saved_searches/{saved_search_id}
Deletes an asset saved search.

Deletes an asset saved search.

Table 1401. DELETE /asset_model/saved_searches/{saved_search_id} resource details
MIME Type
text/plain

Table 1402. DELETE /asset_model/saved_searches/{saved_search_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
saved_search_id path Required Number text/plain null
(Integer)

Table 1403. DELETE /asset_model/saved_searches/{saved_search_id} response codes

HTTP Response
Code Unique Code Description
204 The asset saved searchh was deleted.

718 QRadar API Reference Guide

Table 1403. DELETE /asset_model/saved_searches/{saved_search_id} response
codes (continued)
HTTP Response
Code Unique Code Description
403 1009 You do not have the required capabilities to delete
the asset saved search.
404 1002 The asset saved search does not exist.
500 1020 An error occurred during the attempt to delete the
asset saved search.

Response Description

Response Sample

GET /asset_model/saved_searches/{saved_search_id}/results
Retrieves a list of assets based on the results of an asset saved search.
Table 1404. GET /asset_model/saved_searches/{saved_search_id}/results resource details
MIME Type
application/json

Table 1405. GET /asset_model/saved_searches/{saved_search_id}/results request

parameter details
Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required String text/plain Unique identifier of the
saved search used to
retrieve assets.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements that
are returned in the list to
a specified range. The
list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in a
list base on the contents
of various fields.

Table 1406. GET /asset_model/saved_searches/{saved_search_id}/results response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve assets completed successfully.

Chapter 7. Previous REST API versions 719

 Table 1406. GET /asset_model/saved_searches/{saved_search_id}/results response
codes (continued)
HTTP Response
Code Unique Code Description
422 1005 The unique identifier of the saved search provided
was invalid.
500 1003 The server encountered an error executing the saved
search.

Response Description

List of assets retrieved using the associated asset saved search.

Response Sample
[
{
"domain_id": 42,
"id": 42,
"interfaces": [
{
"created": 42,
"first_seen_profiler": 42,
"first_seen_scanner": 42,
"id": 42,
"ip_addresses": [
{
"created": 42,
"first_seen_profiler": 42,
"first_seen_scanner": 42,
"id": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"network_id": 42,
"type": "String",
"value": "String"
}
],
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String"
}
],
"properties": [
{
"id": 42,
"last_reported": 42,
"last_reported_by": "String",
"name": "String",
"type_id": 42,
"value": "String"
}
]
}
]

Authentication endpoints
Use the references for REST API V7.0 authentication endpoints.

720 QRadar API Reference Guide

 POST /auth/logout
Invoke this method as an authorized user and your session will be invalidated.
Table 1407. POST /auth/logout resource details
MIME Type
text/plain

There are no parameters for this endpoint.

Table 1408. POST /auth/logout response codes
HTTP Response
Code Unique Code Description
200 The session was invalidated.

Response Description

Returns true. Throws exception upon failure.

Response Sample
true

Configuration endpoints
Use the references for REST API V7.0 configuration endpoints.

GET /config/access/tenant_management/tenants
Retrieve the list of all tenants ordered by tenant ID.

Retrieve the list of all tenants. The list is ordered by tenant ID.
Table 1409. GET /config/access/tenant_management/tenants resource details
MIME Type
application/json

Table 1410. GET /config/access/tenant_management/tenants request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Chapter 7. Previous REST API versions 721

 Table 1410. GET /config/access/tenant_management/tenants request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1411. GET /config/access/tenant_management/tenants response codes

HTTP Response
Code Unique Code Description
200 The tenant list was successfully retrieved.
500 1020 An error occurred while the tenant list was being
retrieved.

Response Description

a list of all the tenants

Response Sample
[
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}
]

POST /config/access/tenant_management/tenants
Create a new tenant.
Table 1412. POST /config/access/tenant_management/tenants resource details
MIME Type
application/json

722 QRadar API Reference Guide

Table 1413. POST /config/access/tenant_management/tenants request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1414. POST /config/access/tenant_management/tenants request body details

Parameter Data Type MIME Type Description Sample
tenant Object application/json Required - Tenant - { "deleted": true,
includes name, "description": "String",
event_rate_limit (unit "event_rate_limit": 42,
eps), flow_rate_limit "flow_rate_limit": 42,
(unit fpm) and "name": "String" }
description

Table 1415. POST /config/access/tenant_management/tenants response codes

HTTP Response
Code Unique Code Description
201 A new tenant was created successfully and returned
the new tenant object.
409 1004 A tenant with the given name already exists.
422 1005 A request parameter is invalid.
500 1020 Failed to create the tenant.

Response Description

a created tenant object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

GET /config/access/tenant_management/tenants/{tenant_id}
Retrieve a tenant by tenant id.
Table 1416. GET /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 723

 Table 1417. GET /config/access/tenant_management/tenants/{tenant_id} request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
tenant_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1418. GET /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response
Code Unique Code Description
200 The tenant was successfully retrieved.
404 1002 No tenant was found for the provided tenant id.
500 1020 An error occurred while the tenant was being
retrieved.

Response Description

the associated tenants object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

POST /config/access/tenant_management/tenants/{tenant_id}
Update a tenant
Table 1419. POST /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

Table 1420. POST /config/access/tenant_management/tenants/{tenant_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
tenant_id path Required Number text/plain Required - Integer - the
(Integer) tenant id to modify

724 QRadar API Reference Guide

Table 1420. POST /config/access/tenant_management/tenants/{tenant_id} request
parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1421. POST /config/access/tenant_management/tenants/{tenant_id} request body

details
Parameter Data Type MIME Type Description Sample
tenant Object application/json Required - Tenant - { "deleted": true,
includes name, "description": "String",
event_rate_limit (unit "event_rate_limit": 42,
eps), flow_rate_limit "flow_rate_limit": 42,
(unit fpm) and "name": "String" }
description

Table 1422. POST /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response
Code Unique Code Description
200 A tenant profile that was updated successfully and
returned the updated tenant object.
404 1002 The tenant profile does not exist.
409 1004 A tenant with the given name already exists.
422 1005 A request parameter is invalid.
500 1020 Failed to retrieve/update the given tenant profile.

Response Description

the updated tenant object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

DELETE /config/access/tenant_management/tenants/{tenant_id}
Delete a tenant.

Deletes a tenant by tenant ID.

Chapter 7. Previous REST API versions 725

 Table 1423. DELETE /config/access/tenant_management/tenants/{tenant_id} resource
details
MIME Type
application/json

Table 1424. DELETE /config/access/tenant_management/tenants/{tenant_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
tenant_id path Required Number text/plain Required - String - id
(Integer) associated to a tenant

Table 1425. DELETE /config/access/tenant_management/tenants/{tenant_id} response

codes
HTTP Response
Code Unique Code Description
200 The tenant was deleted successfully (soft delete).
404 1002 The tenant does not exists.
500 1020 An error occurred while deleting tenant.

Response Description

the deleted tenant object with its parameter deleted set to true

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

GET /config/domain_management/domains
Retrieves the list of all domains, active and deleted (including the default domain).

The list is ordered by domain ID. If domains were never configured, only the
default domain is returned.
Table 1426. GET /config/domain_management/domains resource details
MIME Type
application/json

726 QRadar API Reference Guide

Table 1427. GET /config/domain_management/domains request parameter details
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1428. GET /config/domain_management/domains response codes

HTTP Response
Code Unique Code Description
200 The domain list has been successfully retrieved.
500 1020 An error occurred while the domain list was being
retrieved.

Response Description

The list of domain objects.

Response Sample
[
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [

Chapter 7. Previous REST API versions 727

 42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}
]

POST /config/domain_management/domains
Creates a new domain.
Table 1429. POST /config/domain_management/domains resource details
MIME Type
application/json

Table 1430. POST /config/domain_management/domains request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

728 QRadar API Reference Guide

Table 1431. POST /config/domain_management/domains request body details
Parameter Data Type MIME Type Description Sample
domain Object application/json A domain JSON object { "asset_scanner_ids":
(its id parameter is [42],
ignored). "custom_properties":
[{"capture_result":
"String", "id": 42}],
"deleted": true,
"description": "String",
"event_collector_ids":
[42],
"flow_collector_ids":
[42], "flow_source_ids":
[42],
"log_source_group_ids":
[42], "log_source_ids":
[42], "name": "String",
"qvm_scanner_ids":
[42], "tenant_id": 42 }

Table 1432. POST /config/domain_management/domains response codes

HTTP Response
Code Unique Code Description
201 The domain has been successfully created.
409 1004 A domain object parameter already exists.
422 1005 A domain object parameter is invalid.
500 1020 An error occurred while the domain was being
created.

Response Description

A created domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [

Chapter 7. Previous REST API versions 729

 42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

GET /config/domain_management/domains/{domain_id}
Retrieves a domain by domain ID.
Table 1433. GET /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 1434. GET /config/domain_management/domains/{domain_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
domain_id path Required Number text/plain The ID of the domain
(Integer) object to retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1435. GET /config/domain_management/domains/{domain_id} response codes

HTTP Response
Code Unique Code Description
200 The domain has been successfully retrieved.
404 1002 No domain was found for the provided domain id.
500 1020 An error occurred while the domain was being
retrieved.

Response Description

A domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42

730 QRadar API Reference Guide

 }
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

POST /config/domain_management/domains/{domain_id}
Updates an existing domain.
Table 1436. POST /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 1437. POST /config/domain_management/domains/{domain_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
domain_id path Required Number text/plain The ID of the domain
(Integer) object to update.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 731

 Table 1438. POST /config/domain_management/domains/{domain_id} request body details
Parameter Data Type MIME Type Description Sample
domain Object application/json A domain JSON object. { "asset_scanner_ids":
[42],
"custom_properties":
[{"capture_result":
"String", "id": 42}],
"deleted": true,
"description": "String",
"event_collector_ids":
[42],
"flow_collector_ids":
[42], "flow_source_ids":
[42],
"log_source_group_ids":
[42], "log_source_ids":
[42], "name": "String",
"qvm_scanner_ids":
[42], "tenant_id": 42 }

Table 1439. POST /config/domain_management/domains/{domain_id} response codes

HTTP Response
Code Unique Code Description
200 The domain has been successfully updated.
404 1002 No domain was found for the provided domain id.
409 1004 A domain object parameter already exists.
422 1005 A domain object parameter is invalid.
500 1020 An error occurred while the domain was being
updated.

Response Description

The updated domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42

732 QRadar API Reference Guide

 ],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

DELETE /config/domain_management/domains/{domain_id}
Deletes a domain by domain ID.

All domain mappings are also deleted

Table 1440. DELETE /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 1441. DELETE /config/domain_management/domains/{domain_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
domain_id path Required Number text/plain The ID of the domain
(Integer) object to delete.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1442. DELETE /config/domain_management/domains/{domain_id} response codes

HTTP Response
Code Unique Code Description
200 The domain has been successfully deleted.
404 1002 No domain was found for the provided domain id.
422 1005 Default domain cannot be deleted.
500 1020 An error occurred while the domain was being
deleted.

Response Description

The deleted domain object with its parameter deleted set to true.

Chapter 7. Previous REST API versions 733

 Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

GET /config/event_retention_buckets
Retrieves a list of event retention buckets.

Retrieves a list of event retention buckets.

Table 1443. GET /config/event_retention_buckets resource details
MIME Type
application/json

Table 1444. GET /config/event_retention_buckets request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

734 QRadar API Reference Guide

Table 1444. GET /config/event_retention_buckets request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1445. GET /config/event_retention_buckets response codes

HTTP Response
Code Unique Code Description
200 The event retention buckets were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
event retention buckets.

Response Description

An array of Retention Bucket objects. An Retention Bucket object contains the

following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )
v priority - Integer - The priority of the retention bucket. ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or
ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket
was created.
v modified - Long - The time in milliseconds since epoch since the retention
bucket was last modified.
v saved_search_id - String - The id of the saved search used by the retention
bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Chapter 7. Previous REST API versions 735

 Response Sample
[
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}
]

GET /config/event_retention_buckets/{id}
Retrieves an event retention bucket.

Retrieves an event retention bucket.

Table 1446. GET /config/event_retention_buckets/{id} resource details
MIME Type
application/json

Table 1447. GET /config/event_retention_buckets/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1448. GET /config/event_retention_buckets/{id} response codes

HTTP Response
Code Unique Code Description
200 The event retention bucket was retrieved.
404 1002 The event retention bucket does not exist.
500 1020 An error occurred during the attempt to retrieve the
event retention bucket.

736 QRadar API Reference Guide

Response Description

The retention bucket after it has been retrieved. An Retention Bucket object
contains the following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket (0 - 10).
v priority - Integer - The priority of the retention bucket (0 - 10).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or
ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket
was created.
v modified - Long - The time in milliseconds since epoch since the retention
bucket was last modified.
v saved_search_id - String - The ID of the saved search that is used by the
retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

POST /config/event_retention_buckets/{id}
Updates the event retention bucket owner or enabled/disabled only.

Updates the event retention bucket owner or enabled/disabled only.

Table 1449. POST /config/event_retention_buckets/{id} resource details
MIME Type
application/json

Table 1450. POST /config/event_retention_buckets/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 737

 Table 1450. POST /config/event_retention_buckets/{id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1451. POST /config/event_retention_buckets/{id} request body details

Parameter Data Type MIME Type Description Sample
retention_bucket Object application/ null { "id": 1, "name": "String",
json "description": "String", "priority": 1,
"period": 1, "deletion": "String",
"created": 123123, "modified": 123123,
"saved_search_id": "String", "enabled":
true }

Table 1452. POST /config/event_retention_buckets/{id} response codes

HTTP Response
Code Unique Code Description
200 The event retention bucket has been updated.
404 1002 The event retention bucket does not exist.
409 1004 The provided user does not have the required
capabilities to own the event retention bucket.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
event retention bucket.

Response Description

The Retention Bucket after it is updated. A Retention Bucket object contains the
following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket (0 - 10).
v priority - Integer - The priority of the retention bucket (0 - 10).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or
ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket
was created.

738 QRadar API Reference Guide

v modified - Long - The time in milliseconds since epoch since the retention
bucket was last modified.
v saved_search_id - String - The ID of the saved search that is used by the
retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

DELETE /config/event_retention_buckets/{id}
Deletes an event retention bucket.

Deletes an event retention bucket.

Table 1453. DELETE /config/event_retention_buckets/{id} resource details
MIME Type
text/plain

Table 1454. DELETE /config/event_retention_buckets/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

Table 1455. DELETE /config/event_retention_buckets/{id} response codes

HTTP Response
Code Unique Code Description
204 The Event Retention Bucket was deleted.
403 1009 You do not have the proper capabilities to delete the
event retention bucket.
404 1002 The Event Retention Bucket does not exist.
500 1020 An error occurred during the attempt to delete the
event retention bucket.

Chapter 7. Previous REST API versions 739

 Response Description

Response Sample

GET /config/event_sources/custom_properties/
property_expressions
Retrieves a list of event regex property expressions.

Retrieves a list of event regex property expressions.

Table 1456. GET /config/event_sources/custom_properties/property_expressions resource
details
MIME Type
application/json

Table 1457. GET /config/event_sources/custom_properties/property_expressions request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1458. GET /config/event_sources/custom_properties/property_expressions response

codes
HTTP Response
Code Unique Code Description
200 The requested list of event regex property
expressions was retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the
list of event regex property expressions.

740 QRadar API Reference Guide

Response Description

A list of event regex property expressions. Each regex property expression contains
the following fields:
v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The identifier of the event regex property
that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the
user can verify their regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this
log source type.
v log_source_id - Integer - The expression is only applied to events for this log
source (more specific than type alone).
v qid - Integer - The expression is only applied to events associated with this QID
record.
v low_level_category_id - Integer - The expression is only applied to events with
this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
[
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}
]

POST /config/event_sources/custom_properties/
property_expressions
Creates a new event regex property expression.

Creates a new event regex property expression.

Table 1459. POST /config/event_sources/custom_properties/property_expressions resource
details
MIME Type
application/json

Chapter 7. Previous REST API versions 741

 Table 1460. POST /config/event_sources/custom_properties/property_expressions request
parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1461. POST /config/event_sources/custom_properties/property_expressions request

body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON representation of the { "capture_group": 42, "creation_date": 42,
json regex property expression object "enabled": true, "id": 42, "identifier":
"String", "log_source_id": 42,
v regex_property_identifier - Required -
"log_source_type_id": 42,
String - The identifier of the event regex
"low_level_category_id": 42,
property that this expression belongs to. "modification_date": 42, "payload":
v enabled - Optional - Boolean - Flag that "String", "qid": 42, "regex": "String",
indicates whether this expression is "regex_property_identifier": "String",
enabled. It defaults to true if not "username": "String" }
provided.
v regex - Required - String - The regex to
extract the property from the payload.
v capture_group - Optional - Integer -
The capture group to capture. It
defaults to 1 if not provided.
v payload - Optional - String - Test
payload. This parameter is only used in
the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Required - Integer
- The expression is only applied to
events for this log source type.
v log_source_id - Optional - Integer - The
expression is only applied to events for
this log source (more specific than type
alone).
v qid - Optional - Integer - The
expression is only applied to events
associated with this QID record.
v low_level_category_id - Optional -
Integer - The expression is only applied
to events with this low level category.

Table 1462. POST /config/event_sources/custom_properties/property_expressions response

codes
HTTP Response
Code Unique Code Description
201 A new event regex property expression was created.
422 1005 One or more request parameter are invalid in
request.
500 1020 An error occurred during the attempt to create a
new event regex property expression.

742 QRadar API Reference Guide

Response Description

The newly created event regex property expression that contains the following
fields:
v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The identifier of the event regex property
that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the
user can verify their regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this
log source type.
v log_source_id - Integer - The expression is only applied to events for this log
source (more specific than type alone).
v qid - Integer - The expression is only applied to events associated with this QID
record.
v low_level_category_id - Integer - The expression is only applied to events with
this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

GET /config/event_sources/custom_properties/
property_expressions/{expression_id}
Retrieves an event regex property expression based on the supplied expression ID.

Retrieves an event regex property expression based on the supplied expression ID.
Table 1463. GET /config/event_sources/custom_properties/property_expressions/
{expression_id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 743

 Table 1464. GET /config/event_sources/custom_properties/property_expressions/
{expression_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The Guid ID of the
(Integer) event_regex_property_expression.
fields query Optional String text/plain Optional - Use this parameter to specify which
fields you would like to get back in the
response. Fields that are not named are
excluded. Specify subfields in brackets and
multiple fields in the same object are separated
by commas.

Table 1465. GET /config/event_sources/custom_properties/property_expressions/

{expression_id} response codes
HTTP Response
Code Unique Code Description
200 The requested event regex property expression was
successfully retrieved.
404 1002 The requested event regex property expression
cannot be found.
500 1020 An error occurred during the attempt to retrieve the
requested event regex property expression.

Response Description

A event regex property expression that contains the following fields:

v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The identifier of the event regex property
that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the
user can verify their regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this
log source type.
v log_source_id - Integer - The expression is only applied to events for this log
source (more specific than type alone).
v qid - Integer - The expression is only applied to events associated with this QID
record.
v low_level_category_id - Integer - The expression is only applied to events with
this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,

744 QRadar API Reference Guide

 "modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

POST /config/event_sources/custom_properties/
property_expressions/{expression_id}
Updates an existing event regex property expression.

Updates an existing event regex property expression.

Table 1466. POST /config/event_sources/custom_properties/property_expressions/
{expression_id} resource details
MIME Type
application/json

Table 1467. POST /config/event_sources/custom_properties/property_expressions/

{expression_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
expression_id path Required Number text/plain Required - The
(Integer) sequence ID of the
event regex property
expression.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get
back in the response.
Fields that are not
named are excluded.
Specify subfields in
brackets and multiple
fields in the same
object are separated
by commas.

Chapter 7. Previous REST API versions 745

 Table 1468. POST /config/event_sources/custom_properties/property_expressions/
{expression_id} request body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON representation of the { "capture_group": 42, "creation_date": 42,
json event regex property expression object. "enabled": true, "id": 42, "identifier":
"String", "log_source_id": 42,
v regex_property_identifier - Optional -
"log_source_type_id": 42,
String - The identifier of the event regex
"low_level_category_id": 42,
property that this expression belongs to. "modification_date": 42, "payload":
v enabled - Optional - Boolean - Flag that "String", "qid": 42, "regex": "String",
indicates whether this expression is "regex_property_identifier": "String",
enabled. "username": "String" }

v regex - Optional - String - The regex to

extract the property from the payload.
v capture_group - Optional - Integer -
The capture group to capture.
v payload - Optional - String - Test
payload. This parameter is only used in
the UI so that the user can verify their
regex matches the expected payload.
v log_source_type_id - Optional - Integer
- The expression is only applied to
events for this log source type.
v log_source_id - Optional - Integer - The
expression is only applied to events for
this log source (more specific than type
alone).
v qid - Optional - Integer - The
expression is only applied to events
associated with this QID record.
v low_level_category_id - Optional -
Integer - The expression is only applied
to events with this low level category.
v username - Optional - String - The
owner of the event regex property
expression. If the input username is
authorized service, the prefix
"API_token: " is required.

Table 1469. POST /config/event_sources/custom_properties/property_expressions/

{expression_id} response codes
HTTP Response
Code Unique Code Description
200 The event regex property expression was updated.
403 1009 The user cannot update the resource because it only
can be updated by the owner or admin user.
404 1002 The requested event regex property expression
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred during the attempt to update an
event regex property expression.

Response Description

The updated event regex property expression object contains the following fields:
v id - Integer - The sequence ID of the event regex property expression.
v identifier - String - The ID of the event regex property expression.
v regex_property_identifier - String - The ID of the event regex property that this
expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.

746 QRadar API Reference Guide

v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This parameter is only used in the UI so that the
user can verify their regex matches the expected payload.
v log_source_type_id - Integer - The expression is only applied to events for this
log source type.
v log_source_id - Integer - The expression is only applied to events for this log
source (more specific than type alone).
v qid - Integer - The expression is only applied to events associated with this QID
record.
v low_level_category_id - Integer - The expression is only applied to events with
this low level category.
v username - String - The owner of the event regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"log_source_id": 42,
"log_source_type_id": 42,
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

DELETE /config/event_sources/custom_properties/
property_expressions/{expression_id}
Deletes an event regex property expression based on the supplied expression ID.

Deletes an event regex property expression based on the supplied expression ID.
Table 1470. DELETE /config/event_sources/custom_properties/property_expressions/
{expression_id} resource details
MIME Type
text/plain

Table 1471. DELETE /config/event_sources/custom_properties/property_expressions/

{expression_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID of the
(Integer) event_regex_property_expression.

Table 1472. DELETE /config/event_sources/custom_properties/property_expressions/

{expression_id} response codes
HTTP Response
Code Unique Code Description
204 The requested event regex property expression was
successfully deleted.

Chapter 7. Previous REST API versions 747

 Table 1472. DELETE /config/event_sources/custom_properties/property_expressions/
{expression_id} response codes (continued)
HTTP Response
Code Unique Code Description
403 1009 The user cannot delete the resource because it only
can be deleted by the owner or admin user.
404 1002 The requested event regex property expression
cannot be found.
500 1020 An error occurred during the attempt to delete the
requested event regex property expression.

Response Description

Response Sample

GET /config/event_sources/custom_properties/regex_properties
Retrieves a list of event regex properties.

Retrieves a list of event regex properties.

Table 1473. GET /config/event_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Table 1474. GET /config/event_sources/custom_properties/regex_properties request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

748 QRadar API Reference Guide

Table 1475. GET /config/event_sources/custom_properties/regex_properties response codes
HTTP Response
Code Unique Code Description
200 The requested list of event regex properties was
retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the
list of event regex properties.

Response Description

A list of event regex properties. Each regex property contains the following fields:
v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (STRING, NUMERIC, IP, PORT,
TIME) of event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property
is parsed when the event is received.
v datetime_format - String - The date/time pattern that the event regex property
matches.
v locale - String - The Language tag of what locale the Property matches.

Response Sample
[
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}
]

POST /config/event_sources/custom_properties/regex_properties
Creates a new event regex property.

Creates a new event regex property.

Table 1476. POST /config/event_sources/custom_properties/regex_properties resource
details
MIME Type
application/json

Chapter 7. Previous REST API versions 749

 Table 1477. POST /config/event_sources/custom_properties/regex_properties request
parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1478. POST /config/event_sources/custom_properties/regex_properties request body

details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON representation of the { "creation_date": 42, "datetime_format":
json event regex property object. "String", "description": "String", "id": 42,
"identifier": "String", "locale": "String",
v name - Required - String - The name of
"modification_date": 42, "name": "String",
the event regex property.
"property_type": "String <one of: string,
v description - Optional - String - The numeric, ip, port, time>",
description of the event regex property. "use_for_rule_engine": true, "username":
"String" }
v property_type - Required - String - The
property type (string, numeric, ip, port,
time) of event regex property.
v use_for_rule_engine - Optional -
Boolean - The flag to indicate if the
event regex property is parsed when the
event is received. It is false if no value
supplied.
v datetime_format - Optional - String -
The date/time pattern that the event
regex property matches.. It is required
when property type is TIME.
v locale - Optional - String - The
language tag of the locale that the
property matches. The locale is required
when the property type is TIME.

Table 1479. POST /config/event_sources/custom_properties/regex_properties response

codes
HTTP Response
Code Unique Code Description
201 A new event regex property was created.
422 1005 One or more request parameter are invalid in the
request.
500 1020 An error occurred during the attempt to create a
new event regex property.

Response Description

The newly created event regex property that contains the following fields:
v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.

750 QRadar API Reference Guide

v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of
event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property
is parsed when the event is received.
v datetime_format - String - The date/time pattern that the event regex property
matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

GET /config/event_sources/custom_properties/regex_properties/
{regex_property_id}
Retrieves a event regex property based on the supplied regex property ID.

Retrieves a event regex property based on the supplied regex property ID.
Table 1480. GET /config/event_sources/custom_properties/regex_properties/
{regex_property_id} resource details
MIME Type
application/json

Table 1481. GET /config/event_sources/custom_properties/regex_properties/

{regex_property_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain Required - The sequence ID
(Integer) of the
event_regex_property.
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object
are separated by commas.

Chapter 7. Previous REST API versions 751

 Table 1482. GET /config/event_sources/custom_properties/regex_properties/
{regex_property_id} response codes
HTTP Response
Code Unique Code Description
200 The requested event regex property was successfully
retrieved.
404 1002 The requested event regex property cannot be found.
500 1020 An error occurred during the attempt to retrieve the
requested event regex property.

Response Description

A event regex property that contains the following fields:

v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of the
event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property
is parsed when the event is received.
v datetime_format - String - The date/time pattern that the event regex property
matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

POST /config/event_sources/custom_properties/
regex_properties/{regex_property_id}
Updates an existing event regex property.

Updates an existing event regex property.

Table 1483. POST /config/event_sources/custom_properties/regex_properties/
{regex_property_id} resource details
MIME Type
application/json

752 QRadar API Reference Guide

Table 1484. POST /config/event_sources/custom_properties/regex_properties/
{regex_property_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain Required - The sequence ID
(Integer) of the event regex property.
fields header Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Chapter 7. Previous REST API versions 753

 Table 1485. POST /config/event_sources/custom_properties/regex_properties/
{regex_property_id} request body details
MIME
Parameter Data Type Type Description Sample
data Object application/ Required - A JSON { "creation_date": 42,
json representation of the "datetime_format":
event regex property "String", "description":
object. "String", "id": 42,
v description - "identifier": "String",
Optional - String - "locale": "String",
The description of the "modification_date": 42,
event regex property. "name": "String",
"property_type": "String
v property_type -
<one of: string,
Optional - String -
numeric, ip, port,
The property type
time>",
(string, numeric, ip,
"use_for_rule_engine":
port, time) of event
true, "username":
regex property.
"String" }
v use_for_rule_engine -
Optional - Boolean -
The flag to indicate if
the event regex
property is parsed
when the event is
received.
v datetime_format -
Optional - String -
The date/time
pattern that the event
regex property
matches. It is
required when
property type is
TIME.
v locale - Optional -
String - The language
tag of the locale that
the property matches.
The locale is required
when the property
type is TIME.
v username - Optional
- String - The owner
of the event regex
property. If the input
username is
authorized service,
the prefix "API_token:
" is required.

Table 1486. POST /config/event_sources/custom_properties/regex_properties/

{regex_property_id} response codes
HTTP Response
Code Unique Code Description
200 The event regex property was updated.

754 QRadar API Reference Guide

Table 1486. POST /config/event_sources/custom_properties/regex_properties/
{regex_property_id} response codes (continued)
HTTP Response
Code Unique Code Description
403 1009 The user cannot update the resource because it only
can be updated by the owner or admin user.
404 1002 The requested event regex property cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred during the attempt to update an
event regex property.

Response Description

The updated event regex property object contains the following fields:
v id - Integer - The sequence ID of the event regex property.
v identifier - String - The ID of the event regex property.
v name - String - The name of the event regex property.
v username - String - The owner of the event regex property.
v description - String - The description of the event regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of
event regex property.
v use_for_rule_engine - Boolean - The flag to indicate if the event regex property
is parsed when the event is received.
v datetime_format - String - The date/time pattern that the event regex property
matches.
v locale - String - The language tag of the locale the the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

DELETE /config/event_sources/custom_properties/
regex_properties/{regex_property_id}
Deletes an event regex property. To ensure safe deletion, a dependency check is
carried out. This check might take some time. An asynchronous task is started to
do this check.

Deletes an event regex property. To ensure safe deletion, a dependency check is

carried out. This check might take some time. An asynchronous task is started to
do this check.

Chapter 7. Previous REST API versions 755

 Table 1487. DELETE /config/event_sources/custom_properties/regex_properties/
{regex_property_id} resource details
MIME Type
application/json

Table 1488. DELETE /config/event_sources/custom_properties/regex_properties/

{regex_property_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 1489. DELETE /config/event_sources/custom_properties/regex_properties/

{regex_property_id} response codes
HTTP Response
Code Unique Code Description
202 The event regex property delete request was
accepted and is in progress.
403 1009 The user cannot delete the regex_property because it
only can be deleted by the owner or admin user.
404 1002 The requested event regex property cannot be found.
500 1020 An error occurred while attempting to delete the
event regex property.

Response Description

A Delete Task Status object and the location header set to the task status URL
"/api/config/event_sources/custom_properties/regex_property_delete_tasks/
{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,

756 QRadar API Reference Guide

 "created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /config/event_sources/custom_properties/regex_properties/
{regex_property_id}/dependents
Retrieves the objects that depend on the event regex property.

Retrieves the objects that depend on the event regex property.

Table 1490. GET /config/event_sources/custom_properties/regex_properties/
{regex_property_id}/dependents resource details
MIME Type
application/json

Table 1491. GET /config/event_sources/custom_properties/regex_properties/

{regex_property_id}/dependents request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 1492. GET /config/event_sources/custom_properties/regex_properties/

{regex_property_id}/dependents response codes
HTTP Response
Code Unique Code Description
202 The event regex property dependents retrieval was
accepted and is in progress.
404 1002 The event regex property does not exist.
500 1020 An error occurred while attempting to initiate the
event regex property dependents retrieval task.

Chapter 7. Previous REST API versions 757

 Response Description

A Dependents Task Status object and the location header set to the task status URL
"/api/config/event_sources/custom_properties/
regex_property_dependents_tasks/{task_id}". A Dependent Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,

758 QRadar API Reference Guide

 "status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/event_sources/custom_properties/
regex_property_delete_tasks/{task_id}
Retrieves the event regex property delete task status.

Retrieves the event regex property delete task status.

Chapter 7. Previous REST API versions 759

 Table 1493. GET /config/event_sources/custom_properties/regex_property_delete_tasks/
{task_id} resource details
MIME Type
application/json

Table 1494. GET /config/event_sources/custom_properties/regex_property_delete_tasks/

{task_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1495. GET /config/event_sources/custom_properties/regex_property_delete_tasks/

{task_id} response codes
HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The requested delete task status cannot be found.
422 1005 The task ID is invalid in the request.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Response Description

A Delete Task Status object and the location header set to the task status URL
"/api/config/event_sources/custom_properties/regex_property_delete_tasks/
{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

760 QRadar API Reference Guide

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id}
Retrieves the event regex property dependent task status.

Retrieves the event regex property dependent task status.

Table 1496. GET /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1497. GET /config/event_sources/custom_properties/

regex_property_dependent_tasks/{task_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 761

 Table 1498. GET /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id} response codes
HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The requested dependent task status cannot be
found.
422 1005 The task ID is invalid in the request.
500 1020 An error occurred during the attempt to retrieve the
task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL
"/api/config/event_sources/custom_properties/regex_property_dependent_tasks/
{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

762 QRadar API Reference Guide

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,

Chapter 7. Previous REST API versions 763

 FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id}
Cancels the regex property dependent task.

Cancels the regex property dependent task.

Table 1499. POST /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1500. POST /config/event_sources/custom_properties/

regex_property_dependent_tasks/{task_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1501. POST /config/event_sources/custom_properties/

regex_property_dependent_tasks/{task_id} request body details
MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

764 QRadar API Reference Guide

Table 1502. POST /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id} response codes
HTTP Response
Code Unique Code Description
200 The dependent task was cancelled.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL
"/api/config/event_sources/custom_properties/regex_property_dependent_tasks/
{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Chapter 7. Previous REST API versions 765

 Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,

766 QRadar API Reference Guide

 FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id}/results
Retrieves the regex property dependent task results.

Retrieves the regex property dependent task results.

Table 1503. GET /config/event_sources/custom_properties/
regex_property_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 1504. GET /config/event_sources/custom_properties/

regex_property_dependent_tasks/{task_id}/results request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1505. GET /config/event_sources/custom_properties/

regex_property_dependent_tasks/{task_id}/results response codes
HTTP Response
Code Unique Code Description
200 The regex property dependents were retrieved.
404 1002 The requested task status cannot be found.
500 1020 An error occurred during the attempt to retrieve the
task results.

Response Description

A list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource )default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.

Chapter 7. Previous REST API versions 767

 v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has
permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

768 QRadar API Reference Guide

GET /config/extension_management/extensions
Retrieve a list of extensions.
Table 1506. GET /config/extension_management/extensions resource details
MIME Type
application/json

Table 1507. GET /config/extension_management/extensions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
sort query Optional String text/plain Optional - This
parameter is used to
sort the elements in a
list.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1508. GET /config/extension_management/extensions response codes

HTTP Response
Code Unique Code Description
200 The requested list of extensions has been retrieved.
422 22608 The supplied filter is invalid.
422 22615 Unknown status used in filter.
422 22610 The selected field cannot be utilized for sorting.
422 22609 Only top-level-elements of the root entity can be
sorted on.
500 22602 An error has occurred while trying to retrieve the
list of extensions.

Chapter 7. Previous REST API versions 769

 Response Description

A list of extensions. Each extension contains the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this
extension.
v exported_qradar_version - String - The version of the QRadar deployment this
extension was exported from.
v min_qradar_version - String - The minimum QRadar version required for the
extension to function properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to
QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to
QRadar, represented as number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed,
represented as number of milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be
fully uninstalled.
v status - String - The tag corresponding to the current status of the extension.
Possible values are UPLOADED, UPLOADING, INSTALLED, INSTALLING,
INSTALL_FAILED, UNINSTALLED, UNINSTALLING, UNINSTALL_FAILED,
NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension.
Each object has the following fields:
content_type_id - Number - The ID of the content type.
content_type_name - String - The name of the content type.
identifier - String - The descriptive name/identifier of the item.

Response Sample
[
{
"file_location": "/store/cmt/exports/custom_rule.zip",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 3,
"identifier": "No Description Supplied",
"content_type_name": "custom_rule"
},
{
"content_type_id": 28,
"identifier": "Asset Reconciliation IPv4 Blacklist",

770 QRadar API Reference Guide

 "content_type_name": "reference_data"
},
{
"content_type_id": 28,
"identifier": "Asset Reconciliation IPv4 Whitelist",
"content_type_name": "reference_data"
},
{
"content_type_id": 32,
"identifier": "No Description Supplied",
"content_type_name": "reference_data_rules"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150825133843",
"size": 8575,
"id": 59,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "custom_rule.xml",
"install_time": 1440788704856,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440693660702
},
{
"file_location": "/store/cmt/exports/qidmap.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmap.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}
]

Chapter 7. Previous REST API versions 771

 POST /config/extension_management/extensions
Uploads the supplied extension file to the IBM Security QRadarsystem.
Table 1509. POST /config/extension_management/extensions resource details
MIME Type
application/json

Table 1510. POST /config/extension_management/extensions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1511. POST /config/extension_management/extensions request body details

Parameter Data Type MIME Type Description Sample
file File application/x-gzip Required - The File
Extension file. Must be
a properly-formed
QRadar
extension/content
export, either an XML
file or an XML within a
ZIP or TAR.GZ archive.
Must be provided with
MIME type
application/xml,
application/zip,
application/x-gzip or
multipart/form-data

Table 1512. POST /config/extension_management/extensions response codes

HTTP Response
Code Unique Code Description
201 The supplied extension file has been uploaded.
409 22613 The supplied extension file can not be uploaded
because it shares the same hub_id and version as
one of the extensions in the system.
422 22607 The supplied extension could not be validated
successfully
422 22616 The supplied manifest for the extension is invalid.
500 22602 An error has occurred while trying to upload the
extension file.

772 QRadar API Reference Guide

Response Description

An extension containing the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this
extension.
v exported_qradar_version - String - The version of the QRadar deployment this
extension was exported from.
v min_qradar_version - String - The minimum QRadar version required for the
extension to function properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to
QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to
QRadar, represented as number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed,
represented as number of milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be
fully uninstalled.
v status - String - The tag corresponding to the current status of the extension.
Possible values are UPLOADED, UPLOADING, INSTALLED, INSTALLING,
INSTALL_FAILED, UNINSTALLED, UNINSTALLING, UNINSTALL_FAILED,
NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension.
Each object has the following fields:
content_type_id - Number - The ID of the content type.
content_type_name - String - The name of the content type.
identifier - String - The descriptive name/identifier of the item.

Response Sample
{
"file_location": "/store/cmt/exports/qidmaps.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,

Chapter 7. Previous REST API versions 773

 "min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmaps.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}

GET /config/extension_management/extensions/{extension_id}
Retrieves an extension based on the supplied extension ID.
Table 1513. GET /config/extension_management/extensions/{extension_id} resource details
MIME Type
application/json

Table 1514. GET /config/extension_management/extensions/{extension_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 1515. GET /config/extension_management/extensions/{extension_id} response codes

HTTP Response
Code Unique Code Description
200 The requested extension has been retrieved.
404 22603 The requested extension cannot be found.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the
requested extension.

Response Description

An extension containing the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.

774 QRadar API Reference Guide

v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this
extension.
v exported_qradar_version - String - The version of the QRadar deployment this
extension was exported from.
v min_qradar_version - String - The minimum QRadar version required for the
extension to function properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to
QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to
QRadar, represented as number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed,
represented as number of milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be
fully uninstalled.
v status - String - The tag corresponding to the current status of the extension.
Possible values are UPLOADED, UPLOADING, INSTALLED, INSTALLING,
INSTALL_FAILED, UNINSTALLED, UNINSTALLING, UNINSTALL_FAILED,
NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension.
Each object has the following fields:
content_type_id - Number - The ID of the content type.
content_type_name - String - The name of the content type.
identifier - String - The descriptive name/identifier of the item.

Response Sample
{
"file_location": "/store/cmt/exports/qidmaps.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmaps.xml",
"install_time": 1440612194941,

Chapter 7. Previous REST API versions 775

 "installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}

POST /config/extension_management/extensions/{extension_id}
Install an extension based on the supplied extension ID. This is an asynchronous
action.

Installs the Extension corresponding to the supplied extension ID Alternatively can

be used to preview an extension, showing what values are applied if the extension
is installed.
Table 1516. POST /config/extension_management/extensions/{extension_id} resource
details
MIME Type
application/json

Table 1517. POST /config/extension_management/extensions/{extension_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension.
action_type query Required String text/plain Required - The desired
action to take on the
Extension (INSTALL or
PREVIEW)
overwrite query Optional Boolean text/plain Optional - If true, any
existing items on the
importing system will be
overwritten if the
extension contains the
same items. If false,
existing items will be
preserved, and the
corresponding items in
the extension will be
skipped.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 1518. POST /config/extension_management/extensions/{extension_id} response

codes
HTTP Response
Code Unique Code Description
202 The requested install or preview task has been
started.
404 22603 The requested extension cannot be found.

776 QRadar API Reference Guide

Table 1518. POST /config/extension_management/extensions/{extension_id} response
codes (continued)
HTTP Response
Code Unique Code Description
404 22604 The task status for status_id cannot be found.
409 22612 The supplied extension cannot be
installed/previewed because it is already installed
409 22611 The supplied extension cannot be
installed/previewed because it is already in the
process of being installed/previewed.
409 22618 The requested task can not be initiated because
another preview/install task is already in progress.
422 22605 The supplied action type is invalid
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to install or
preview the requested extension.

Response Description

A JSON string depicting the accepted task for previewing/installing an extension:

v message - String - description of the accepted task.
v status_location - String - the url of the task status.
v current_status - String - a JSON object depicting the current status of the task.

Response Sample
{
"message": "Uninstalling an extension",
"status_location":
"https://1.1.1.1/console/restapi/api/config/extension_management/
extensions_task_status/101",
"current_status": {
"progress": 0,
"result_url": null,
"cancelled_by": null,
"status": "QUEUED",
"task_components": null,
"modified": 1440891410849,
"id": 101,
"message": "Queued Extension uninstallation task for extension id 2",
"created_by": "admin",
"created": 1440891410629,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891410847,
"completed": null
}
}

DELETE /config/extension_management/extensions/
{extension_id}
Uninstall an extension based on the supplied extension ID. This is an
asynchronous action.

Chapter 7. Previous REST API versions 777

 Table 1519. DELETE /config/extension_management/extensions/{extension_id} resource
details
MIME Type
application/json

Table 1520. DELETE /config/extension_management/extensions/{extension_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension to be
uninstalled.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 1521. DELETE /config/extension_management/extensions/{extension_id} response

codes
HTTP Response
Code Unique Code Description
202 The requested uninstall task has been started.
404 22603 The requested extension cannot be found.
404 22604 The task status for status_id cannot be found.
409 22611 The supplied extension cannot be uninstalled
because it is already in the process of being
uninstalled.
409 22617 The extension can not be uninstalled because it is
already in the process of being previewed/installed.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to uninstall an
extension.

Response Description

A JSON string depicting the accepted task for uninstalling an extension:

v message - String - description of the accepted task.
v status_location - String - the url of the task status.
v current_status - String - a JSON object depicting the current status of the task.

Response Sample
{
"message": "Uninstalling an extension",
"status_location":
"https://1.1.1.1/console/restapi/api/config/extension_management/
extensions_task_status/101",
"current_status": {

778 QRadar API Reference Guide

 "progress": 0,
"result_url": null,
"cancelled_by": null,
"status": "QUEUED",
"task_components": null,
"modified": 1440891410849,
"id": 101,
"message": "Queued Extension uninstallation task for extension id 2",
"created_by": "admin",
"created": 1440891410629,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891410847,
"completed": null
}
}

GET /config/extension_management/extensions_task_status/
{status_id}
Retrieves the tasks status based on the status ID.
Table 1522. GET /config/extension_management/extensions_task_status/{status_id}
resource details
MIME Type
application/json

Table 1523. GET /config/extension_management/extensions_task_status/{status_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
status_id path Required Number text/plain Required - the id of the
(Integer) task status.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1524. GET /config/extension_management/extensions_task_status/{status_id}

response codes
HTTP Response
Code Unique Code Description
200 The requested task status has been retrieved.
404 22604 The task status for status_id cannot be found.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the
task status.

Chapter 7. Previous REST API versions 779

 Response Description

A task status containing the following fields:

v id - Number - The ID of the task status.
v name - String - The name of the task status.
v status - String - A string that represents the current state of the task status.
v message - String - A message regarding the current state of the task.
v progress - Number - The current progress of the task
v minimum - Number - The minimum progress of the task.
v maximum - Number - The maximum progress of the task.
v created_by - String - The username of the user who created the task.
v cancelled_by - String - The username of the user who cancelled the task.
v created - Number - The date/time at which this task was created, represented as
number of milliseconds since Unix epoch.
v started - Number - The date/time at which this task was started, represented as
number of milliseconds since Unix epoch.
v modified - Number - The date/time at which this task was last modified,
represented as number of milliseconds since Unix epoch.
v completed - Number - The date/time at which this task was completed,
represented as number of milliseconds since Unix epoch.
v result_url - String - The url where the result can be viewed.
v cancel_requested - Boolean - True if cancel has been requested.
v child_tasks - Array - Array of child task id's that are executed asynchronously
from this task.
v task_components - Array - Array of task components that are executed
sequentially.

Response Sample
{
"progress": 0,
"result_url": "",
"cancelled_by": "",
"status": "COMPLETED",
"task_components": null,
"modified": 1440891517961,
"id": 102,
"message": "Completed Extension uninstallation task for extension id 56",
"created_by": "admin",
"created": 1440891514006,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891514041,
"completed": 1440891515224
}

780 QRadar API Reference Guide

GET /config/extension_management/extensions_task_status/
{status_id}/results
Retrieves the tasks status results based on the status ID.
Table 1525. GET /config/extension_management/extensions_task_status/{status_id}/results
resource details
MIME Type
application/json

Table 1526. GET /config/extension_management/extensions_task_status/{status_id}/results

request parameter details
MIME
Parameter Type Optionality Data Type Type Description
status_id path Required Number text/plain Required - The id of
(Integer) the task status.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1527. GET /config/extension_management/extensions_task_status/{status_id}/results

response codes
HTTP Response
Code Unique Code Description
200 The requested results of the task status have been
retrieved.
404 22604 The task status for status_id cannot be found.
404 22614 The task results are not available.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the
results of a task status.

Response Description

A JSON object representing the result of an Extension preview, install or uninstall

task. It contains the following fields:
v id - Number - The ID of the extension.
v task_type - String - The type of task that was issued against the Extension.
v content - Array - An array of JSON objects representing the contents of the
extension and what action is associated with each content item for the task that
was executed. Each content item contains the following fields:
name - String - The name of the content item.
content_type_id - Number - The ID of the type of the content item.

Chapter 7. Previous REST API versions 781

 content_type_name - String - The name of the type of the content item.
action - String - The action taken for the content item.

Response Sample
{
"id": 56,
"task_type": "UNINSTALL",
"content": [
{
"content_type_id": 3,
"name": "SYSTEM-1607",
"action": "SKIP",
"content_type_name": "custom_rule"
},
{
"content_type_id": 28,
"name": "Asset Reconciliation IPv4 Whitelist",
"action": "SKIP",
"content_type_name": "reference_data"
}
]
}

GET /config/flow_retention_buckets
Retrieves a list of flow retention buckets.

Retrieves a list of flow retention buckets.

Table 1528. GET /config/flow_retention_buckets resource details
MIME Type
application/json

Table 1529. GET /config/flow_retention_buckets request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

782 QRadar API Reference Guide

Table 1529. GET /config/flow_retention_buckets request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1530. GET /config/flow_retention_buckets response codes

HTTP Response
Code Unique Code Description
200 The flow retention buckets were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
flow retention buckets.

Response Description

An array of Retention Bucket objects. An Retention Bucket object contains the

following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )
v priority - Integer - The priority of the retention bucket. ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or
ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket
was created.
v modified - Long - The time in milliseconds since epoch since the retention
bucket was last modified.
v saved_search_id - String - The ID of the saved search used by the retention
bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
[
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",

Chapter 7. Previous REST API versions 783

 "description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}
]

GET /config/flow_retention_buckets/{id}
Retrieves a flow retention bucket.

Retrieves a flow retention bucket.

Table 1531. GET /config/flow_retention_buckets/{id} resource details
MIME Type
application/json

Table 1532. GET /config/flow_retention_buckets/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1533. GET /config/flow_retention_buckets/{id} response codes

HTTP Response
Code Unique Code Description
200 The flow retention bucket was retrieved.
404 1002 The flow retention bucket does not exist.
500 1020 An error occurred during the attempt to retrieve the
flow retention bucket.

Response Description

The retention bucket after it is retrieved. An Retention Bucket object contains the
following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 )
v priority - Integer - The priority of the retention bucket. ( 0 - 10 ).
v name - String - The name of the retention bucket.

784 QRadar API Reference Guide

v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or
ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket
was created.
v modified - Long - The time in milliseconds since epoch since the retention
bucket was last modified.
v saved_search_id - String - The ID of the saved search that is used by the
retention bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",
"description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

POST /config/flow_retention_buckets/{id}
Updates the flow retention bucket owner, or enabled/disabled only.

Updates the flow retention bucket owner, or enabled/disabled only.

Table 1534. POST /config/flow_retention_buckets/{id} resource details
MIME Type
application/json

Table 1535. POST /config/flow_retention_buckets/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 785

 Table 1536. POST /config/flow_retention_buckets/{id} request body details
MIME
Parameter Data Type Type Description Sample
retention_bucket Object application/ null { "bucket_id": 42,
json "database": "String",
"description": "String",
"enabled": true, "id":
42, "name": "String",
"period": 42, "priority":
42, "saved_search_id":
"String" }

Table 1537. POST /config/flow_retention_buckets/{id} response codes

HTTP Response
Code Unique Code Description
200 The flow retention bucket was updated.
404 1002 The Flow Retention Bucket does not exist.
409 1004 The provided user does not have the required
capabilities to own the flow retention bucket.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
flow retention bucket.

Response Description

The Retention Bucket after it is updated. A Retention Bucket object contains the
following fields:
v id - Integer - The ID of the retention bucket.
v bucket_id - Integer - The Bucket ID of the retention bucket. ( 0 - 10 ).
v priority - Integer - The priority of the retention bucket ( 0 - 10 ).
v name - String - The name of the retention bucket.
v database - String - The database of the retention bucket, EVENTS or FLOWS.
v description - String - The description of the retention bucket.
v period - Integer - The retention period in hours.
v delete - String - The delete protocol of the retention bucket, IMMEDIATELY or
ON_DEMAND.
v created - Long - The time in milliseconds since epoch since the retention bucket
was created.
v modified - Long - The time in milliseconds since epoch since the retention
bucket was last modified.
v saved_search_id - String - The ID of the saved search used by the retention
bucket.
v enabled - Boolean - True if the retention bucket is enabled.

Response Sample
{
"bucket_id": 42,
"created": 42,
"database": "String",
"deletion": "String <one of: ON_DEMAND, IMMEDIATELY>",

786 QRadar API Reference Guide

 "description": "String",
"enabled": true,
"id": 42,
"modified": 42,
"name": "String",
"period": 42,
"priority": 42,
"saved_search_id": "String"
}

DELETE /config/flow_retention_buckets/{id}
Deletes a flow retention bucket.

Deletes a flow retention bucket.

Table 1538. DELETE /config/flow_retention_buckets/{id} resource details
MIME Type
text/plain

Table 1539. DELETE /config/flow_retention_buckets/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

Table 1540. DELETE /config/flow_retention_buckets/{id} response codes

HTTP Response
Code Unique Code Description
204 The flow retention bucket was deleted.
403 1009 You do not have the proper capabilities to delete the
flow retention bucket.
404 1002 The flow retention bucket does not exist.
500 1020 An error occurred during the attempt to delete the
flow retention bucket.

Response Description

Response Sample

GET /config/flow_sources/custom_properties/
property_expressions
Retrieve a list of flow regex property expressions.

Retrieves a list of flow regex property expressions.

Table 1541. GET /config/flow_sources/custom_properties/property_expressions resource
details
MIME Type
application/json

Chapter 7. Previous REST API versions 787

 Table 1542. GET /config/flow_sources/custom_properties/property_expressions request
parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1543. GET /config/flow_sources/custom_properties/property_expressions response

codes
HTTP Response
Code Unique Code Description
200 The requested list of flow regex property expressions
was retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the
list of flow regex property expressions.

Response Description

A list of flow regex property expressions. Each regex property expression contains
the following fields:
v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property
that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can
verify their regex matches the expected payload.

788 QRadar API Reference Guide

v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this
low level category.
v payload_origin - BaseProperty - The payload type (source_payload,
destination_payload) to apply the expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
[
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}
]

POST /config/flow_sources/custom_properties/
property_expressions
Creates a new flow regex property expression.

Creates a new flow regex property expression.

Table 1544. POST /config/flow_sources/custom_properties/property_expressions resource
details
MIME Type
application/json

Table 1545. POST /config/flow_sources/custom_properties/property_expressions request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 789

 Table 1546. POST /config/flow_sources/custom_properties/property_expressions request
body details
MIME
Parameter Data Type Type Description Sample
data Object application/ Required - A JSON representation of { "capture_group": 42,
json the regex property expression object. "creation_date": 42, "enabled": true,
v regex_property_identifier - "id": 42, "identifier": "String",
Required - String - The identifier "low_level_category_id": 42,
"modification_date": 42, "payload":
of the flow regex property that
"String", "payload_origin": "String
this expression belongs to.
<one of: event_payload,
v enabled - Optional - Boolean - source_payload,
Flag that indicates whether this destination_payload>", "qid": 42,
expression is enabled. It defaults "regex": "String",
to true if not provided. "regex_property_identifier": "String",
"username": "String" }
v regex - Required - String - The
regex to extract the property from
the payload.
v capture_group - Optional -
Integer - The capture group to
capture. It defaults to 1 if not
provided.
v payload - Optional - String - Test
payload. This is only used in the
UI so that the user can verify
their regex matches the expected
payload.
v qid - Optional - Integer - The QID
of the flow to apply this
expression to.
v low_level_category_id - Optional
- Integer - The expression is
applied to all flows with this low
level category.
v payload_origin - Required -
String - The payload type
(source_payload,
destination_payload) to apply the
expression to.

Table 1547. POST /config/flow_sources/custom_properties/property_expressions response

codes
HTTP Response
Code Unique Code Description
201 A new flow regex property expression was created.
422 1005 One or more request parameter are invalid in the
request.
500 1020 An error occurred during the attempt to create a
new flow regex property expression.

Response Description

The newly created flow regex property expression containing the following fields:
v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property
that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.

790 QRadar API Reference Guide

v payload - String - Test payload. This is only used in the UI so that the user can
verify their regex matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this
low level category.
v payload_origin - BaseProperty - The payload type (source_payload,
destination_payload) to apply the expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

GET /config/flow_sources/custom_properties/
property_expressions/{expression_id}
Retrieves a flow regex property expression based on the supplied expression ID.

Retrieves a flow regex property expression based on the supplied expression ID.
Table 1548. GET /config/flow_sources/custom_properties/property_expressions/
{expression_id} resource details
MIME Type
application/json

Table 1549. GET /config/flow_sources/custom_properties/property_expressions/

{expression_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID of the
(Integer) flow_regex_property_expression.
fields query Optional String text/plain Optional - Use this parameter to
specify which fields you would like
to get back in the response. Fields
that are not named are excluded.
Specify subfields in brackets and
multiple fields in the same object are
separated by commas.

Chapter 7. Previous REST API versions 791

 Table 1550. GET /config/flow_sources/custom_properties/property_expressions/
{expression_id} response codes
HTTP Response
Code Unique Code Description
200 The requested flow regex property expression was
successfully retrieved.
404 1002 The requested flow regex property expression cannot
be found.
500 1020 An error occurred during the attempt to retrieve the
requested flow regex property expression.

Response Description

A flow regex property expression containing the following fields:

v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property
that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can
verify their regex matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this
low level category.
v payload_origin - BaseProperty - The payload type (source_payload,
destination_payload) to apply the expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

792 QRadar API Reference Guide

POST /config/flow_sources/custom_properties/
property_expressions/{expression_id}
Updates an existing flow regex property expression.

Updates an existing flow regex property expression.

Table 1551. POST /config/flow_sources/custom_properties/property_expressions/
{expression_id} resource details
MIME Type
application/json

Table 1552. POST /config/flow_sources/custom_properties/property_expressions/

{expression_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
expression_id path Required Number text/plain Required - The
(Integer) sequence ID of the
flow regex property
expression.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get
back in the response.
Fields that are not
named are excluded.
Specify subfields in
brackets and multiple
fields in the same
object are separated
by commas.

Chapter 7. Previous REST API versions 793

 Table 1553. POST /config/flow_sources/custom_properties/property_expressions/
{expression_id} request body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A JSON { "capture_group": 42, "creation_date": 42,
json representation of the flow "enabled": true, "id": 42, "identifier":
regex property expression "String", "low_level_category_id": 42,
object. "modification_date": 42, "payload":
v "String", "payload_origin": "String <one
regex_property_identifier of: event_payload, source_payload,
destination_payload>", "qid": 42, "regex":
- Optional - String - The
"String", "regex_property_identifier":
identifier of the flow
"String", "username": "String" }
regex property that this
expression belongs to.
v enabled - Optional -
Boolean - Flag that
indicates whether this
expression is enabled.
v regex - Optional - String
- The regex to extract the
property from the
payload.
v capture_group -
Optional - Integer - The
capture group to
capture.
v payload - Optional -
String - Test payload.
This is only used in the
UI so that the user can
verify their regex
matches the expected
payload.
v qid - Optional - Integer -
The QID of the flow to
apply this expression to.
v low_level_category_id -
Optional - Integer - The
expression is applied to
all flows with this low
level category.
v payload_origin -
Optional - String - The
payload type
(source_payload,
destination_payload) to
apply the expression to.
v username - Optional -
String - The owner of
the flow regex property
expression. If the input
username is authorized
service, the prefix
"API_token: " is
required.

Table 1554. POST /config/flow_sources/custom_properties/property_expressions/

{expression_id} response codes
HTTP Response
Code Unique Code Description
200 The flow regex property expression was updated.
403 1009 The user cannot update the resource because it only
can be updated by the owner or admin user.
404 1002 The requested flow regex property expression cannot
be found.

794 QRadar API Reference Guide

Table 1554. POST /config/flow_sources/custom_properties/property_expressions/
{expression_id} response codes (continued)
HTTP Response
Code Unique Code Description
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to update an
flow regex property expression.

Response Description

The updated flow regex property expression object contains the following fields:
v id - Integer - The sequence ID of the flow regex property expression.
v identifier - String - The ID of the flow regex property expression.
v regex_property_identifier - String - The identifier of the flow regex property
that this expression belongs to.
v enabled - Boolean - Flag that indicates whether this expression is enabled.
v regex - String - The regex to extract the property from the payload.
v capture_group - Integer - The capture group to capture.
v payload - String - Test payload. This is only used in the UI so that the user can
verify their regex matches the expected payload.
v qid - Integer - The QID of the flow to apply this expression to.
v low_level_category_id - Integer - The expression is applied to all flows with this
low level category.
v payload_origin - BaseProperty - The payload type (source_payload,
destination_payload) to apply the expression to.
v username - String - The owner of the flow regex property expression.

Response Sample
{
"capture_group": 42,
"creation_date": 42,
"enabled": true,
"id": 42,
"identifier": "String",
"low_level_category_id": 42,
"modification_date": 42,
"payload": "String",
"payload_origin": "String <one of:
event_payload,
source_payload,
destination_payload>",
"qid": 42,
"regex": "String",
"regex_property_identifier": "String",
"username": "String"
}

DELETE /config/flow_sources/custom_properties/
property_expressions/{expression_id}
Deletes a flow regex property expression based on the supplied expression ID.

Deletes a flow regex property expression based on the supplied expression ID.

Chapter 7. Previous REST API versions 795

 Table 1555. DELETE /config/flow_sources/custom_properties/property_expressions/
{expression_id} resource details
MIME Type
text/plain

Table 1556. DELETE /config/flow_sources/custom_properties/property_expressions/

{expression_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
expression_id path Required Number text/plain Required - The sequence ID of the
(Integer) flow_regex_property_expression.

Table 1557. DELETE /config/flow_sources/custom_properties/property_expressions/

{expression_id} response codes
HTTP Response
Code Unique Code Description
204 The requested flow regex property expression was
successfully deleted.
403 1009 The user cannot delete the resource because it only
can be deleted by the owner or admin user.
404 1002 The requested flow regex property expression cannot
be found.
500 1020 An error occurred during the attempt to delete the
requested flow regex property expression.

Response Description

Response Sample

GET /config/flow_sources/custom_properties/regex_properties
Retrieves a list of flow regex properties.

Retrieves a list of flow regex properties.

Table 1558. GET /config/flow_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Table 1559. GET /config/flow_sources/custom_properties/regex_properties request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

796 QRadar API Reference Guide

 Table 1559. GET /config/flow_sources/custom_properties/regex_properties request
parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1560. GET /config/flow_sources/custom_properties/regex_properties response codes

HTTP Response
Code Unique Code Description
200 The requested list of flow regex properties was
retrieved.
422 1010 An error occurred while building the filter.
500 1020 An error occurred during the attempt to retrieve the
list of flow regex properties.

Response Description

A list of flow regex properties. Each regex property contains the following fields:
v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of
flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex
property is parsed when the flow was captured.
v datetime_format - String - The date/time pattern that the flow regex property
matches.
v locale - String - The language tag of the locale that the property matches.
.

Response Sample
[
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",

Chapter 7. Previous REST API versions 797

 "locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}
]

POST /config/flow_sources/custom_properties/regex_properties
Creates a new flow regex property.

Creates a new flow regex property.

Table 1561. POST /config/flow_sources/custom_properties/regex_properties resource details
MIME Type
application/json

Table 1562. POST /config/flow_sources/custom_properties/regex_properties request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

798 QRadar API Reference Guide

Table 1563. POST /config/flow_sources/custom_properties/regex_properties request body
details
MIME
Parameter Data Type Type Description Sample
data Object application/ Required - A JSON representation of { "creation_date": 42,
json the flow regex property object. "datetime_format": "String",
v name - Required - String - The "description": "String", "id": 42,
name of the flow regex property. "identifier": "String", "locale":
"String", "modification_date": 42,
v description - Optional - String - "name": "String", "property_type":
The description of the flow regex "String <one of: string, numeric, ip,
property. port, time>", "use_for_rule_engine":
v property_type - Required - String true, "username": "String" }
- The property type (string,
numeric, ip, port, time) of flow
regex property.
v use_for_rule_engine - Optional -
Boolean - The flag that indicates
if the flow regex property is
parsed when the flow was
captured.
v datetime_format - Optional -
String - The date/time pattern
that the flow regex property
matches. It is required when
property type is TIME.
v locale - Optional - String - The
language tag of the locale that the
property matches. The locale is
required when property type is
TIME.

Table 1564. POST /config/flow_sources/custom_properties/regex_properties response codes

HTTP Response
Code Unique Code Description
201 A new flow regex property was created.
422 1005 One or more request parameter are invalid in the
request.
500 1020 An error occurred during the attempt to create a
new flow regex property.

Response Description

The newly created flow regex property that contains the following fields:
v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of
flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex
property is parsed when the flow was captured.
v datetime_format - String - The date/time pattern that the flow regex property
matches.
v locale - String - The language tag of the locale that the property matches.

Chapter 7. Previous REST API versions 799

 Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

GET /config/flow_sources/custom_properties/regex_properties/
{regex_property_id}
Retrieves a flow regex property based on the supplied regex property ID.

Retrieves a flow regex property based on the supplied regex property ID.
Table 1565. GET /config/flow_sources/custom_properties/regex_properties/
{regex_property_id} resource details
MIME Type
application/json

Table 1566. GET /config/flow_sources/custom_properties/regex_properties/

{regex_property_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain Required - The sequence ID
(Integer) of the flow_regex_property.
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 1567. GET /config/flow_sources/custom_properties/regex_properties/

{regex_property_id} response codes
HTTP Response
Code Unique Code Description
200 The requested flow regex property was successfully
retrieved.
404 1002 The requested flow regex property cannot be found.
500 1020 An error occurred during the attempt to retrieve the
requested flow regex property.

Response Description

A flow regex property that contains the following fields:

v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
800 QRadar API Reference Guide
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of
flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex
property is parsed when the flow was captured.
v datetime_format - String - The date/time pattern that the flow regex property
matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

POST /config/flow_sources/custom_properties/regex_properties/
{regex_property_id}
Updates an existing flow regex property.

Updates an existing flow regex property.

Table 1568. POST /config/flow_sources/custom_properties/regex_properties/
{regex_property_id} resource details
MIME Type
application/json

Table 1569. POST /config/flow_sources/custom_properties/regex_properties/

{regex_property_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain Required - The sequence ID
(Integer) of the flow regex property.
fields header Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Chapter 7. Previous REST API versions 801

 Table 1570. POST /config/flow_sources/custom_properties/regex_properties/
{regex_property_id} request body details
MIME
Parameter Data Type Type Description Sample
data Object application/ Required - A JSON { "creation_date": 42,
json representation of the "datetime_format":
flow regex property "String", "description":
object. "String", "id": 42,
v description - "identifier": "String",
Optional - String - "locale": "String",
The description of the "modification_date": 42,
flow regex property. "name": "String",
"property_type": "String
v property_type -
<one of: string,
Optional - String -
numeric, ip, port,
The property type
time>",
(string, numeric, ip,
"use_for_rule_engine":
port, time) of flow
true, "username":
regex property.
"String" }
v use_for_rule_engine -
Optional - Boolean -
The flag that
indicates if the flow
regex property is
parsed when the flow
is captured. It is false
if no value supplied.
v datetime_format -
Optional - String -
The date/time
pattern that the flow
regex property
matches. It is
required when
property type is
TIME.
v locale - Optional -
String - The language
tag of the locale that
the property
matches.The locale is
required when
property type is
TIME.
v username - Optional
- String - The owner
of the event regex
property. If the input
username is
authorized service,
the prefix "API_token:
" is required.

802 QRadar API Reference Guide

Table 1571. POST /config/flow_sources/custom_properties/regex_properties/
{regex_property_id} response codes
HTTP Response
Code Unique Code Description
200 The flow regex property was updated.
403 1009 The user cannot update the resourse because it only
can be updated by the owner or admin user.
404 1002 The requested flow regex property cannot be found.
422 1005 One or more parameters are invalid in the request.
500 1020 An error occurred during the attempt to update an
flow regex property.

Response Description

The updated flow regex property object contains the following fields:
v id - Integer - The sequence ID of the flow regex property.
v identifier - String - The ID of the flow regex property.
v name - String - The name of the flow regex property.
v username - String - The owner of the flow regex property.
v description - String - The description of the flow regex property.
v property_type - String - The property type (string, numeric, ip, port, time) of
flow regex property.
v use_for_rule_engine - Boolean - The flag that indicates if the flow regex
property is parsed when the flow is captured.
v datetime_format - String - The date/time pattern that the flow regex property
matches.
v locale - String - The language tag of the locale that the property matches.

Response Sample
{
"creation_date": 42,
"datetime_format": "String",
"description": "String",
"id": 42,
"identifier": "String",
"locale": "String",
"modification_date": 42,
"name": "String",
"property_type": "String <one of: string, numeric, ip, port, time>",
"use_for_rule_engine": true,
"username": "String"
}

DELETE /config/flow_sources/custom_properties/
regex_properties/{regex_property_id}
Deletes a flow regex property. To ensure safe deletion, a dependency check is
carried out. This check might take some time. An asynchronous task is started to
do this check.

Deletes a flow regex property. To ensure safe deletion, a dependency check is

carried out. This check might take some time. An asynchronous task is started to
do this check.

Chapter 7. Previous REST API versions 803

 Table 1572. DELETE /config/flow_sources/custom_properties/regex_properties/
{regex_property_id} resource details
MIME Type
application/json

Table 1573. DELETE /config/flow_sources/custom_properties/regex_properties/

{regex_property_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain Required - The sequence ID
(Integer) of the Flow Regex property
to delete.
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 1574. DELETE /config/flow_sources/custom_properties/regex_properties/

{regex_property_id} response codes
HTTP Response
Code Unique Code Description
202 The flow regex property delete request was accepted
and is in progress
403 1009 The user cannot delete the regex_property because it
only can be deleted by the owner or admin user.
404 1002 The requested flow regex property cannot be found.
500 1020 An error occurred during the attempt to delete the
flow regex property.

Response Description

A Delete Task Status object and the location header set to the task status URL
"/api/config/flow_sources/custom_properties/regex_property_delete_tasks/
{task_id}". A Delete Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task .
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

804 QRadar API Reference Guide

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /config/flow_sources/custom_properties/regex_properties/
{regex_property_id}/dependents
Retrieves the objects that depend on the flow regex property.

Retrieves the objects that depend on the flow regex property.

Table 1575. GET /config/flow_sources/custom_properties/regex_properties/
{regex_property_id}/dependents resource details
MIME Type
application/json

Table 1576. GET /config/flow_sources/custom_properties/regex_properties/

{regex_property_id}/dependents request parameter details
Parameter Type Optionality Data Type MIME Type Description
regex_property_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify which
fields you would like to get
back in the response. Fields
that are not named are
excluded. Specify subfields
in brackets and multiple
fields in the same object are
separated by commas.

Table 1577. GET /config/flow_sources/custom_properties/regex_properties/

{regex_property_id}/dependents response codes
HTTP Response
Code Unique Code Description
202 The flow regex property dependents retrieval was
accepted and is in progress.
404 1002 The flow regex property does not exist.

Chapter 7. Previous REST API versions 805

 Table 1577. GET /config/flow_sources/custom_properties/regex_properties/
{regex_property_id}/dependents response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred during the attempt to initiate the
flow regex property dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status URL
"/api/config/flow_sources/custom_properties/regex_property_dependents_tasks/
{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,

806 QRadar API Reference Guide

 "created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

Chapter 7. Previous REST API versions 807

 GET /config/flow_sources/custom_properties/
regex_property_dependent_tasks/{task_id}
Retrieves the flow regex property dependent task status.

Retrieves the flow regex property dependent task status.

Table 1578. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id} resource details
MIME Type
application/json

Table 1579. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/

{task_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1580. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/

{task_id} response codes
HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The requested task status cannot be found.
422 1005 The task id is invalid in the request.
500 1020 An error occurred during the attempt to retrieve the
task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL
"/api/config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.

808 QRadar API Reference Guide

v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,

Chapter 7. Previous REST API versions 809

 "maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /config/flow_sources/custom_properties/
regex_property_dependent_tasks/{task_id}
Cancels the flow regex property dependent task.

Cancels the flow regex property dependent task.

Table 1581. POST /config/flow_sources/custom_properties/
regex_property_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1582. POST /config/flow_sources/custom_properties/

regex_property_dependent_tasks/{task_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

810 QRadar API Reference Guide

Table 1582. POST /config/flow_sources/custom_properties/
regex_property_dependent_tasks/{task_id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1583. POST /config/flow_sources/custom_properties/

regex_property_dependent_tasks/{task_id} request body details
MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Table 1584. POST /config/flow_sources/custom_properties/

regex_property_dependent_tasks/{task_id} response codes
HTTP Response
Code Unique Code Description
200 The delete task status was cancelled.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL
"/api/config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id}". A Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.

Chapter 7. Previous REST API versions 811

 v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,

812 QRadar API Reference Guide

 QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /config/flow_sources/custom_properties/
regex_property_dependent_tasks/{task_id}/results
Retrieves the regex property dependent task results.

Retrieves the regex property dependent task results.

Table 1585. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id}/results resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 813

 Table 1586. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/
{task_id}/results request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1587. GET /config/flow_sources/custom_properties/regex_property_dependent_tasks/

{task_id}/results response codes
HTTP Response
Code Unique Code Description
200 The requested task results was retrieved.
404 1002 The requested task status cannot be found.
500 1020 An error occurred during the attempt to retrieve the
task status.

Response Description

A list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has
permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:

814 QRadar API Reference Guide

 ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /config/global_system_notifications
Retrieves a list of all deployed global system notifications.

Retrieves the list of deployed global system notifications

Table 1588. GET /config/global_system_notifications resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 815

 Table 1589. GET /config/global_system_notifications request parameter details
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1590. GET /config/global_system_notifications response codes

HTTP Response
Code Unique Code Description
200 The deployed global system notifications list was
successfully retrieved.
500 1020 An internal server error occurred while retrieving
the list of deployed global system notifications.

Response Description

A list of all deployed global system notifications.

Response Sample
[
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}
]

816 QRadar API Reference Guide

GET /config/global_system_notifications/{notification_id}
Retrieves a deployed global system notification by ID.

Retrieves a deployed global system notification by id.

Table 1591. GET /config/global_system_notifications/{notification_id} resource details
MIME Type
application/json

Table 1592. GET /config/global_system_notifications/{notification_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
notification_id path Required Number text/plain ID that is used for
(Integer) retrieving a deployed
global system
notification.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get
back in the response.
Fields that are not
named are excluded.
Specify subfields in
brackets and multiple
fields in the same
object are separated
by commas.

Table 1593. GET /config/global_system_notifications/{notification_id} response codes

HTTP Response
Code Unique Code Description
200 The deployed global system notification was
successfully retrieved.
404 1002 No deployed global system notification was found
for the provided notification ID.
500 1020 An error occurred while the notification was being
retrieved.

Response Description

The associated deployed global system notification object.

Response Sample
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}

Chapter 7. Previous REST API versions 817

 GET /config/network_hierarchy/networks
Retrieves the deployed network hierarchy.

Retrieves the deployed network hierarchy.

Table 1594. GET /config/network_hierarchy/networks resource details
MIME Type
application/json

Table 1595. GET /config/network_hierarchy/networks request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1596. GET /config/network_hierarchy/networks response codes

HTTP Response
Code Unique Code Description
200 The network hierarchy was returned.
500 1020 An error occurred during the attempt to retreive the
network hierarchy.

Response Description

Network Hierarchy - A JSON string that contains network_hierarchy objects with

the following fields:
v id - Integer - The ID of the network object.
v group - String - The group of the network object.
v name - String - The name of the network object.
v cidr - String - The CIDR range of the network object.
v description - String - The description of the network object.
v domain_id - Integer - The domain ID of the network object.

Response Sample
[
{
"cidr": "String",
"description": "String",
"domain_id": 42,
"group": "String",
"id": 42,
"name": "String"
}
]

818 QRadar API Reference Guide

GET /config/network_hierarchy/staged_networks
Retrieves the staged network hierarchy.

Retrieves the staged network hierarchy.

Table 1597. GET /config/network_hierarchy/staged_networks resource details
MIME Type
application/json

Table 1598. GET /config/network_hierarchy/staged_networks request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1599. GET /config/network_hierarchy/staged_networks response codes

HTTP Response
Code Unique Code Description
200 The network hierarchy was returned
500 1020 An error occurred during the attempt to retreive the
network hierarchy

Response Description

Network Hierarchy - A JSON string that contains network_hierarchy objects with

the following fields:
v id - Integer - The ID of the network object.
v group - String - The group of the network object.
v name - String - The name of the network object.
v cidr - String - The CIDR range of the network object.
v description - String - The description of the network object.
v domain_id - Integer - The domain ID of the network object.

Response Sample
[
{
"cidr": "String",
"description": "String",
"domain_id": 42,
"group": "String",
"id": 42,
"name": "String"
}
]

Chapter 7. Previous REST API versions 819

 PUT /config/network_hierarchy/staged_networks
Replaces the current network hierarchy with the input that is provided.

Replaces the current network hierarchy with the input that is provided.
Table 1600. PUT /config/network_hierarchy/staged_networks resource details
MIME Type
application/json

Table 1601. PUT /config/network_hierarchy/staged_networks request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1602. PUT /config/network_hierarchy/staged_networks request body details

Parameter Data Type MIME Type Description Sample
network_hierarchy Array<Object> application/ Required - A JSON String that [ { "id": 4, "group": "DMZ", "name":
json contains network hierarchy objects "External", "description": "network
with the following fields: description", "cidr": "0.0.0.1/32",
"domain_id": 0 }, { "id": 5, "group":
v id - Optional - Integer - The ID of
"DMZ", "name": "External",
the network object.
"description": "network description",
v group - Required - String - The "cidr": "0.0.0.2/32", "domain_id": 0 } ]
group of the network object.
v name - Required - String - The
name of the network object.
v cidr - Required - String - The
CIDR range of the network object.
v description - Optional - String -
The description of the network
object.
v domain_id - Optional - Integer -
The domain ID of the network
object (required if domain aware).

Table 1603. PUT /config/network_hierarchy/staged_networks response codes

HTTP Response
Code Unique Code Description
200 The network hierarchy was successfully replaced.
409 1004 A duplicate parameter was passed to the API call.
422 1005 An invalid parameter was passed to the API call.
500 1020 An unexpected error occurred during the creation of
the network hierarchy.

820 QRadar API Reference Guide

Response Description

Network Hierarchy - A JSON string that contains network_hierarchy objects, each

with the following fields:
v id - Integer - The ID of the network object.
v group - String - The group of the network object.
v name - String - The name of the network object.
v cidr - String - The CIDR range of the network object.
v description - String - The description of the network object.
v domain_id - Integer - The domain ID of the network object.

Response Sample
[
{
"cidr": "String",
"description": "String",
"domain_id": 42,
"group": "String",
"id": 42,
"name": "String"
}
]

GET /config/resource_restrictions
Retrieves a list of all resource restrictions.

Retrieves the list of all resource restrictions.

Table 1604. GET /config/resource_restrictions resource details
MIME Type
application/json

Table 1605. GET /config/resource_restrictions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 7. Previous REST API versions 821

 Table 1605. GET /config/resource_restrictions request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1606. GET /config/resource_restrictions response codes

HTTP Response
Code Unique Code Description
200 The resource restriction list was successfully
retrieved.
500 1001 An error occurred during the attempt to retrieve the
restriction list.

Response Description

A list of all the restrictions.

Response Sample
[
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}
]

POST /config/resource_restrictions
Creates a new resource restriction.

Creates a new resource restriction.

Table 1607. POST /config/resource_restrictions resource details
MIME Type
application/json

822 QRadar API Reference Guide

Table 1608. POST /config/resource_restrictions request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1609. POST /config/resource_restrictions request body details

Parameter Data Type MIME Type Description Sample
resourceRestriction Object application/ Required - The resource { "data_window": 42,
json restriction to be added. "execution_time": 42, "id":
Only one of the ID fields "String", "record_limit":
(user_id, tenant_id, 42, "role_id": 42,
role_id) can be provided. "tenant_id": 42, "user_id":
42 }

Table 1610. POST /config/resource_restrictions response codes

HTTP Response
Code Unique Code Description
200 The new resource restriction was successfully
created.
404 1009 The consumer (user, tenant, or role) provided was
not found.
422 1008 One of: user_id, role_id, or tenant_id
500 1010 An error occurred during the attempt to create a
resource restriction.

Response Description

The associated restriction object.

Response Sample
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}

GET /config/resource_restrictions/{resource_restriction_id}
Retrieves a resource restriction consumer by ID.

Retrieves a resource restriction consumer by ID.

Chapter 7. Previous REST API versions 823

 Table 1611. GET /config/resource_restrictions/{resource_restriction_id} resource details
MIME Type
application/json

Table 1612. GET /config/resource_restrictions/{resource_restriction_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
resource_restriction_id path Required String text/plain Required - The
resource restriction ID
of the resource
restriction to be
retrieved. Must be of
the format [1-3]-\d+
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1613. GET /config/resource_restrictions/{resource_restriction_id} response codes

HTTP Response
Code Unique Code Description
200 The resource restriction consumer was successfully
retrieved.
404 1003 No such resource restriction consumer (user, tenant,
or role) exists for the given ID.
422 1002 Provided ID is not a valid format. must be [1-3]-\d+
500 1004 An error occurred during the retrtieval resource
restrictions.

Response Description

The associated restriction object.

Response Sample
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}

DELETE /config/resource_restrictions/{resource_restriction_id}
Deletes a resource restriction consumer by ID.

Deletes a resource restriction consumer by ID.

824 QRadar API Reference Guide

Table 1614. DELETE /config/resource_restrictions/{resource_restriction_id} resource details
MIME Type
text/plain

Table 1615. DELETE /config/resource_restrictions/{resource_restriction_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
resource_restriction_id path Required String text/plain Required - The
resource restriction ID
of the resource
restriction to be
retrieved. Must be of
the format [1-3]-\d+

Table 1616. DELETE /config/resource_restrictions/{resource_restriction_id} response codes

HTTP Response
Code Unique Code Description
204 The resource restriction consumer was successfully
deleted.
404 1003 null
422 1002 Provided ID is not a valid format. Must be of the
format [1-3]-\d+
500 1004 An error occurred during the retrieval of the
resource restrictions.

Response Description

The deleted restriction object.

Response Sample

PUT /config/resource_restrictions/{resource_restriction_id}
Updates a resource restriction consumer by ID.

Updates a resource restriction consumer by ID.

Table 1617. PUT /config/resource_restrictions/{resource_restriction_id} resource details
MIME Type
application/json

Table 1618. PUT /config/resource_restrictions/{resource_restriction_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
resource_restriction_id path Required String text/plain Required - The
resource restriction ID
of the resource
restriction to be
updated. Must be of
the format [1-3]-\d+

Chapter 7. Previous REST API versions 825

 Table 1618. PUT /config/resource_restrictions/{resource_restriction_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1619. PUT /config/resource_restrictions/{resource_restriction_id} request body details

Parameter Data Type MIME Type Description Sample
resourceRestriction Object application/ Required - The resource { "data_window": 42,
json restrictions to be "execution_time": 42, "id":
updated. "String", "record_limit":
42, "role_id": 42,
"tenant_id": 42, "user_id":
42 }

Table 1620. PUT /config/resource_restrictions/{resource_restriction_id} response codes

HTTP Response
Code Unique Code Description
200 The resource restriction consumer was successfully
updated.
404 1006 The resource restriction consumer (user, tenant, or
role) wasn't found.
422 1005 Provided ID is not a valid format. Must be of the
format [1-3]-\d+
500 1007 An error occurred during the retrieval of the
resource restriction.

Response Description

The associated restriction object.

Response Sample
{
"data_window": 42,
"execution_time": 42,
"id": "String",
"record_limit": 42,
"role_id": 42,
"tenant_id": 42,
"user_id": 42
}

GET /config/store_and_forward/policies
Retrieves a list of store and forward policies.

Retrieves a list of store and forward policies.

826 QRadar API Reference Guide

Table 1621. GET /config/store_and_forward/policies resource details
MIME Type
application/json

Table 1622. GET /config/store_and_forward/policies request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1623. GET /config/store_and_forward/policies response codes

HTTP Response
Code Unique Code Description
200 The store and forward policies were retrieved.
422 1010 A request parameter is not valid.
500 1020 An error occurred during the attempt to retrieve the
store and forward policies.

Response Description

An array of Store and Forward Policy objects. An Store and Forward Policy object
contains the following fields:
v id - Long - The ID of the store and forward policy.
v name - String - The name of the store and forward policy.
v description - String - The description of the store and forward policy.
v timezone - String - The timezone of the store and forward policy.
v owner - String - The owner of the store and forward policy.
v store_and_forward_schedule_id - Long - The schedule ID of the store and
forward policy.

Chapter 7. Previous REST API versions 827

 v created - Long - The time in milliseconds since epoch since the store and
forward policy was created.
v modified - Long - The time in milliseconds since epoch since the store and
forward policy was last modified.

Response Sample
[
{
"created": 42,
"description": "String",
"id": 42,
"modified": 42,
"name": "String",
"owner": "String",
"saf_schedule_id": 42,
"timezone": "String"
}
]

GET /config/store_and_forward/policies/{id}
Retrieves a store and forward policy.

Retrieves a store and forward policy.

Table 1624. GET /config/store_and_forward/policies/{id} resource details
MIME Type
application/json

Table 1625. GET /config/store_and_forward/policies/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1626. GET /config/store_and_forward/policies/{id} response codes

HTTP Response
Code Unique Code Description
200 The store and forward policy was retrieved.
404 1002 The store and forward policy does not exist.
500 1020 An error occurred during the attempt to retrieve the
store and forward policy.

828 QRadar API Reference Guide

Response Description

The store and forward policy after it has been retrieved. An Store and Forward
Policy object contains the following fields:
v id - Long - The ID of the store and forward policy.
v name - String - The name of the store and forward policy.
v description - String - The description of the store and forward policy.
v timezone - String - The timezone of the store and forward policy.
v owner - String - The owner of the store and forward policy.
v store_and_forward_schedule_id - Long - The schedule ID of the store and
forward policy.
v created - Long - The time in milliseconds since epoch since the store and
forward policy was created.
v modified - Long - The time in milliseconds since epoch since the store and
forward policy was last modified.

Response Sample
{
"created": 42,
"description": "String",
"id": 42,
"modified": 42,
"name": "String",
"owner": "String",
"saf_schedule_id": 42,
"timezone": "String"
}

POST /config/store_and_forward/policies/{id}
Updates the store and forward policy owner only.

Updates the store and forward policy owner only

Table 1627. POST /config/store_and_forward/policies/{id} resource details
MIME Type
application/json

Table 1628. POST /config/store_and_forward/policies/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 829

 Table 1629. POST /config/store_and_forward/policies/{id} request body details
MIME
Parameter Data Type Type Description Sample
policy Object application/ null { "description": "String",
json "id": 42, "name":
"String", "owner":
"String",
"saf_schedule_id": 42,
"timezone": "String" }

Table 1630. POST /config/store_and_forward/policies/{id} response codes

HTTP Response
Code Unique Code Description
200 The store and forward policy has been updated.
403 1009 You do not have the required capabilities to update
the store and forward policy.
404 1002 The store and forward policy does not exist.
409 1004 The provided user does not have the required
capabilities to own the store and forward policy.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
store and forward policy.

Response Description

The store and forward policy after it was updated. An Store and Forward Policy
object contains the following fields:
v id - Long - The ID of the store and forward policy.
v name - String - The name of the store and forward policy.
v description - String - The description of the store and forward policy.
v timezone - String - The timezone of the store and forward policy.
v owner - String - The owner of the store and forward policy.
v store_and_forward_schedule_id - Long - The schedule ID of the store and
forward policy.
v created - Long - The time in milliseconds since epoch since the store and
forward policy was created.
v modified - Long - The time in milliseconds since epoch since the store and
forward policy was last modified.

Response Sample
{
"created": 42,
"description": "String",
"id": 42,
"modified": 42,
"name": "String",
"owner": "String",
"saf_schedule_id": 42,
"timezone": "String"
}

830 QRadar API Reference Guide

 DELETE /config/store_and_forward/policies/{id}
Deletes a store and forward policy.

Deletes a store and forward policy.

Table 1631. DELETE /config/store_and_forward/policies/{id} resource details
MIME Type
text/plain

Table 1632. DELETE /config/store_and_forward/policies/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)

Table 1633. DELETE /config/store_and_forward/policies/{id} response codes

HTTP Response
Code Unique Code Description
204 The Store and Forward Policy has been deleted
403 1009 You do not have the required capabilities to delete
the store and forward policy
404 1002 The Store and Forward Policy does not exist
500 1020 An error occurred during the attempt to delete the
store and forward policy

Response Description

Response Sample

Data classification endpoints

Use the references for REST API V7.0 data classification endpoints.

GET /data_classification/dsm_event_mappings
Retrieve a list of DSM event mappings.

Retrieves a list of DSM event mappings.

Table 1634. GET /data_classification/dsm_event_mappings resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 831

 Table 1635. GET /data_classification/dsm_event_mappings request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1636. GET /data_classification/dsm_event_mappings response codes

HTTP Response
Code Unique Code Description
200 The requested list of DSM event mappings was
retrieved.
500 1020 An error occurred during the attempt to retrieve the
list of DSM event mappings.

Response Description

A list of DSM event mappings. A DSM event mapping contains the following
fields:
v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event
mapping resource is associated with.
v log_source_event_id - String - The primary identifying value parsed from an
event to be used to look up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed
from an event to be used to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system
provided (custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event
mapping provides a mapping.

832 QRadar API Reference Guide

Response Sample
[
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}
]

POST /data_classification/dsm_event_mappings
Creates a new custom DSM event mapping.

Creates a new custom DSM event mapping.

Table 1637. POST /data_classification/dsm_event_mappings resource details
MIME Type
application/json

Table 1638. POST /data_classification/dsm_event_mappings request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 833

 Table 1639. POST /data_classification/dsm_event_mappings request body details
Parameter Data Type MIME Type Description Sample
data Object application/ Required - A DSM event { "log_source_event_category":
json mapping that contains the "String", "log_source_event_id":
following fields: "String", "log_source_type_id": 42,
v log_source_type_id - "qid_record_id": 42 }
Required - Number - The ID
of the Log Source Type this
DSM event mapping resource
is associated with.
v log_source_event_id -
Required - String - The
primary identifying value
parsed from an event to be
used to look up the
corresponding QID record.
v log_source_event_category -
Required - String - The
secondary identifying value
parsed from an event to be
used to look up the
corresponding QID record.
v qid_record_id - Required -
Number - The ID of the QID
record to which this DSM
event mapping provides a
mapping.

Table 1640. POST /data_classification/dsm_event_mappings response codes

HTTP Response
Code Unique Code Description
201 The new custom DSM event mapping was created.
409 1008 There is an existing custom DSM event mapping
with same the log_source_type_id,
log_source_event_id and log_source_event_category
combination. Cannot create duplicate DSM event
mapping.
422 1005 Invalid parameter value provided for the new DSM
event mapping.
500 1020 An error occurred during the attempt to create a
new custom DSM event mapping.

Response Description

The newly created DSM event mapping that contains the following fields:
v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event
mapping resource is associated with.
v log_source_event_id - String - The primary identifying value parsed from an
event to be used to look up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed
from an event to be used to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system
provided (custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event
mapping provides a mapping.

834 QRadar API Reference Guide

Response Sample
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}

GET /data_classification/dsm_event_mappings/
{dsm_event_mapping_id}
Retrieves a DSM event mapping based on the supplied DSM event mapping ID.

Retrieves a DSM event mapping based on the supplied DSM event mapping ID.
Table 1641. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id}
resource details
MIME Type
application/json

Table 1642. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id}

request parameter details
Parameter Type Optionality Data Type MIME Type Description
dsm_event_mapping_id path Required Number text/plain Required - The ID of the
(Integer) DSM event mapping.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 1643. GET /data_classification/dsm_event_mappings/{dsm_event_mapping_id}

response codes
HTTP Response
Code Unique Code Description
200 The requested DSM event mapping was retrieved.
404 1002 The requested DSM event mapping was not found.
500 1020 An error occurred during the attempt to retrieve the
DSM event mapping.

Response Description

A DSM event mapping that contains the following fields:

v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event
mapping resource is associated with.
v log_source_event_id - String - The primary identifying value parsed from an
event to be used to look up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed
from an event to be used to look up the corresponding QID record.

Chapter 7. Previous REST API versions 835

 v custom_event - Boolean - Flag to identify if the DSM event mapping is system
provided (custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event
mapping provides a mapping.

Response Sample
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}

POST /data_classification/dsm_event_mappings/
{dsm_event_mapping_id}
Updates an existing custom DSM event mapping.

Updates an existing custom DSM event mapping.

Table 1644. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id}
resource details
MIME Type
application/json

Table 1645. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id}

request parameter details
Parameter Type Optionality Data Type MIME Type Description
dsm_event_mapping_id path Required Number text/plain Required - The ID of the
(Integer) DSM event mapping.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 1646. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id}

request body details
MIME
Parameter Data Type Type Description Sample
data Object application/ Required - The DSM { "qid_record_id": 42 }
json event mapping to be
updated that might
contain the following
field:
v qid_record_id -
Number - Required -
The ID of the QID
record to which this
DSM event mapping
provides a mapping.

836 QRadar API Reference Guide

Table 1647. POST /data_classification/dsm_event_mappings/{dsm_event_mapping_id}
response codes
HTTP Response
Code Unique Code Description
200 The DSM event mapping was updated.
404 1002 The requested DSM event mapping was not found.
422 1005 Invalid parameter provided while updating the DSM
event mapping.
500 1020 An error occurred during the attempt to update a
DSM event mapping.

Response Description

The updated DSM event mapping that contains the following fields:
v id - Number - The ID of the DSM event mapping.
v log_source_type_id - Number - The ID of the Log Source Type this DSM event
mapping resource is associated with.
v log_source_event_id - String - The primary identifying value parsed from an
event to be used to look up the corresponding QID record.
v log_source_event_category - String - The secondary identifying value parsed
from an event to be used to look up the corresponding QID record.
v custom_event - Boolean - Flag to identify if the DSM event mapping is system
provided (custom_event=false) or user-provided (custom_event=true).
v qid_record_id - Number - The ID of the QID record to which this DSM event
mapping provides a mapping.

Response Sample
{
"custom_event": true,
"id": 42,
"log_source_event_category": "String",
"log_source_event_id": "String",
"log_source_type_id": 42,
"qid_record_id": 42
}

GET /data_classification/high_level_categories
Retrieves a list of high level categories.

Retrieves a list of high level categories.

Table 1648. GET /data_classification/high_level_categories resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 837

 Table 1649. GET /data_classification/high_level_categories request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
sort query Optional String text/plain Optional - This
parameter is used to
sort the elements in a
list.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1650. GET /data_classification/high_level_categories response codes

HTTP Response
Code Unique Code Description
200 The requested list of high level categories was
retrieved.
422 23003 Sorting is only supported for fields "id" or "name".
422 23004 The sort field that was provided does not exist.
422 23005 Sorting on multiple fields is not supported.
500 1020 An error occurred during the attempt to retrieve the
list of high level categories.

Response Description

A list of high level categories. A high level category contains the following fields:
v id - Number - The ID of the high level category.
v name - String - The name of the high level category.
v description - String - The description of the high level category.

838 QRadar API Reference Guide

Response Sample
[
{
"id": 19000,
"name": "Audit",
"description": "Audit"
},
{
"id": 20000,
"name": "Risk",
"description": "Risk"
}
]

GET /data_classification/high_level_categories/
{high_level_category_id}
Retrieves a high level category based on the supplied high level category ID.

Retrieves a high level category based on the supplied high level category ID.
Table 1651. GET /data_classification/high_level_categories/{high_level_category_id}
resource details
MIME Type
application/json

Table 1652. GET /data_classification/high_level_categories/{high_level_category_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
high_level_category_id path Required Number text/plain Required - the ID of the
(Integer) high level category.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 1653. GET /data_classification/high_level_categories/{high_level_category_id}

response codes
HTTP Response
Code Unique Code Description
200 The requested high level category was retrieved.
404 1002 The requested high level category was not found.
422 1005 High level category ID must be a positive integer.
500 1020 An error occurred during the attempt to retrieve the
high level category.

Response Description

A high level category that contains the following fields:

v id - Number - The ID of the high level category.
v name - String - The name of the high level category.

Chapter 7. Previous REST API versions 839

 v description - String - The description of the high level category.

Response Sample
{
"id": 19000,
"name": "Audit",
"description": "Audit",
}

GET /data_classification/low_level_categories
Retrieves a list of low level categories.

Retrieves a list of low level categories.

Table 1654. GET /data_classification/low_level_categories resource details
MIME Type
application/json

Table 1655. GET /data_classification/low_level_categories request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
sort query Optional String text/plain Optional - This
parameter is used to
sort the elements in a
list.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1656. GET /data_classification/low_level_categories response codes

HTTP Response
Code Unique Code Description
200 The requested list of low level categories was
retrieved.

840 QRadar API Reference Guide

Table 1656. GET /data_classification/low_level_categories response codes (continued)
HTTP Response
Code Unique Code Description
422 23053 Sorting is only supported for fields "id" or "name"
422 23054 The sort field that was provided does not exist.
422 23055 Sorting on multiple fields is not supported.
500 1020 An error occurred during the attempt to retrieve the
list of low level categories.

Response Description

A list of low level category objects. A low level category contains the following
fields:
v id - Number - The ID of the low level category.
v name - String - The name of the low level category.
v description - String - The description of the low level category.
v severity - Number - The severity of the low level category.
v high_level_category_id - Number - The ID of the parent high level category.

Response Sample
[
{
"id": 19001,
"name": "General Audit Event",
"description": "General Audit Event",
"high_level_category_id": 19000,
"severity" : 0
},
{
"id": 19002,
"name": "Built-in Execution",
"description": " Built-in Execution",
"high_level_category_id": 19000,
"severity" : 0
}
]

GET /data_classification/low_level_categories/
{low_level_category_id}
Retrieves a low level category based on the supplied low level category ID.

Retrieves a low level category that is based on the supplied low level category ID.
Table 1657. GET /data_classification/low_level_categories/{low_level_category_id} resource
details
MIME Type
application/json

Table 1658. GET /data_classification/low_level_categories/{low_level_category_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
low_level_category_id path Required Number text/plain Required - The id of the
(Integer) low level category.

Chapter 7. Previous REST API versions 841

 Table 1658. GET /data_classification/low_level_categories/{low_level_category_id} request
parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 1659. GET /data_classification/low_level_categories/{low_level_category_id} response

codes
HTTP Response
Code Unique Code Description
200 The requested low level category was retrieved.
404 1002 The requested low level category was not found.
422 1005 Low level category ID must be a positive integer.
500 1020 An error occurred during the attempt to retrieve the
low level category.

Response Description

A low level category that contains the following fields:

v id - Number - The ID of the low level category.
v name - String - The name of the low level category.
v description - String - The description of the low level category.
v severity - Number - The severity of the low level category.
v high_level_category_id - Number - The ID of the parent high level category.

Response Sample
{
"id": 19001,
"name": "General Audit Event",
"description": "General Audit Event",
"high_level_category_id": 19000,
"severity" : 0
}

GET /data_classification/qid_records
Retrieves a list of QID records.

Retrieves a list of QID records.

Table 1660. GET /data_classification/qid_records resource details
MIME Type
application/json

842 QRadar API Reference Guide

Table 1661. GET /data_classification/qid_records request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1662. GET /data_classification/qid_records response codes

HTTP Response
Code Unique Code Description
200 The requested list of QID records was retrieved.
500 1020 An error occurred during the attempt to retrieve the
list of QID records.

Response Description

A list of QID records. A QID record contains the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data
structure consistency among endpoints.

Response Sample
[
{
"id": 64280,
"qid": 2500283,
"name": "DELETED WEB-MISC OReilly args.bat access",

Chapter 7. Previous REST API versions 843

 "description": "DELETED WEB-MISC OReilly args.bat access",
"severity": 2 ,
"low_level_category_id": 1011,
"log_source_type_id": null
},
{
"id": 64297,
"qid": 2500300,
"name": "DELETED WEB-MISC Cisco Web DOS attempt",
"description": "DELETED WEB-MISC Cisco Web DOS attempt",
"severity": 8,
"low_level_category_id": 2009
"log_source_type_id": null
}
]

POST /data_classification/qid_records
Creates a new QID record.

Creates a new QID record.

Table 1663. POST /data_classification/qid_records resource details
MIME Type
application/json

Table 1664. POST /data_classification/qid_records request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

844 QRadar API Reference Guide

Table 1665. POST /data_classification/qid_records request body details
MIME
Parameter Data Type Type Description Sample
data Object application/ Required - A QID { "log_source_type_id": 199, "name":
json record containing the "spp_portscan: Portscan Detected",
following fields: "description": "spp_portscan:
v log_source_type_id - Portscan Detected", "severity": 4,
Required - Number - "low_level_category_id":1008 }
The ID of the log
source type which
the QID record is
created for.
v name - Required -
String - The name of
the QID record.
v description -
Optional - String -
The description of
the QID record.
v severity - Optional -
Number - The
severity of the QID
record. If not
provided, the
severity of the
corresponding low
level category is used
as the default value.
v
low_level_category_id
- Required - Number -
The low level category
ID of the QID record.

Table 1666. POST /data_classification/qid_records response codes

HTTP Response
Code Unique Code Description
201 The new QID record was created.
422 1005 Invalid parameter value provided for the new QID
record.
500 1020 An error occurred during the attempt to create a
new QID record.

Response Description

The newly created QID record containing the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data
structure consistency among endpoints.

Chapter 7. Previous REST API versions 845

 Response Sample
{
"id": 63998,
"qid": 2500001,
"name": "spp_portscan: Portscan Detected",
"description": "spp_portscan: Portscan Detected",
"severity": 4,
"low_level_category_id": 1008,
"log_source_type_id": null
}

GET /data_classification/qid_records/{qid_record_id}
Retrieves a QID record that is based on the supplied qid_record_id.

Retrieves a QID record that is based on the supplied qid_record_id.

Table 1667. GET /data_classification/qid_records/{qid_record_id} resource details
MIME Type
application/json

Table 1668. GET /data_classification/qid_records/{qid_record_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
qid_record_id path Required Number text/plain Required - the ID of
(Integer) the QID record.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get
back in the response.
Fields that are not
named are excluded.
Specify subfields in
brackets and multiple
fields in the same
object are separated
by commas.

Table 1669. GET /data_classification/qid_records/{qid_record_id} response codes

HTTP Response
Code Unique Code Description
200 The requested QID record was retrieved.
404 1002 The requested QID record was not found.
422 1005 qid_record_id must be a positive integer.
500 1020 An error occurred during the attempt to retrieve the
QID record.

Response Description

A QID record containing the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.

846 QRadar API Reference Guide

v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data
structure consistency among endpoints.

Response Sample
{
"id": 63998,
"qid": 2500001,
"name": "spp_portscan: Portscan Detected",
"description": "spp_portscan: Portscan Detected",
"severity": 4,
"low_level_category_id": 1008,
"log_source_type_id": null
}

POST /data_classification/qid_records/{qid_record_id}
Updates an existing QID record.

Updates an existing QID record.

Table 1670. POST /data_classification/qid_records/{qid_record_id} resource details
MIME Type
application/json

Table 1671. POST /data_classification/qid_records/{qid_record_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
qid_record_id path Required Number text/plain Required - The ID of
(Integer) the QID record.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get
back in the response.
Fields that are not
named are excluded.
Specify subfields in
brackets and multiple
fields in the same
object are separated
by commas.

Chapter 7. Previous REST API versions 847

 Table 1672. POST /data_classification/qid_records/{qid_record_id} request body details
Parameter Data Type MIME Type Description Sample
qid_record Object application/ Required - The QID record to { "name": "spp_portscan: Portscan
json be updated, which may contain Detected", "description":
the following fields: "spp_portscan: Portscan Detected",
v name - Optional - String - "severity": 4,
The name of the QID record. "low_level_category_id":1008 }

v description - Optional -
String - The description of
the QID record.
v severity - Optional - Number
- The severity of the QID
record.
v low_level_category_id -
Optional - Number - The low
level category ID of the QID
record.

Table 1673. POST /data_classification/qid_records/{qid_record_id} response codes

HTTP Response
Code Unique Code Description
200 The QID record was updated.
404 1002 The requested QID record was not found.
409 1008 The QID record that was provided cannot be
updated because it is a system-provided QID.
422 1005 Invalid parameter was provided during the update
to the QID record.
500 1020 An error occurred during the attempt to update a
QID record.

Response Description

The updated QID record containing the following fields:

v id - Number - The ID of the QID record.
v qid - Number - The QID of the QID record.
v name - String - The name of the QID record.
v description - String - The description of the QID record.
v severity - Number - The severity of the QID record.
v low_level_category_id - Number - The low level category ID of the QID record.
v log_source_type_id - Number - A placeholder with null value to ensure data
structure consistency among endpoints.

Response Sample
{
"id": 63998,
"qid": 2500001,
"name": "spp_portscan: Portscan Detected",
"description": "spp_portscan: Portscan Detected",
"severity": 4,
"low_level_category_id": 1008,
"log_source_type_id": null
}

848 QRadar API Reference Guide

Forensics endpoints
Use the references for REST API V7.0 forensics endpoints.

GET /forensics/capture/recoveries
Retrieves a list of capture recoveries.

Retrieves a list of recoveries.

Table 1674. GET /forensics/capture/recoveries resource details
MIME Type
application/json

Table 1675. GET /forensics/capture/recoveries request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1676. GET /forensics/capture/recoveries response codes

HTTP Response
Code Unique Code Description
200 The Workflow Recovery Jobs were retrieved.
500 1020 An error occurred while the recovery job list was
being retrieved.

Response Description

A list of recoveries. A recovery contains the following fields:

v assigned_to - String - The username of the user the recovery is assigned to.
v bpf - String - The Berkeley Packet Filter to pass to the capture device.

Chapter 7. Previous REST API versions 849

 v case_id - String - ID of the case where the collection(s) are created.
v collection_name_suffix - String - Suffix that is used to name the collection(s) to
store the recovered data in.
v id - Long - ID for the recovery.
v recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this
recovery.
v recovery_window_end_time - Long - End of time range for data recovery.
v recovery_window_start_time - Long - Start of time range for data recovery.
v tags - String - Identifiers applied to recovered data to assist with grouping when
searching. These are user supplied string identifiers that are used to mark the
data so the user can easily look up the data later.

Response Sample
[
{
"assigned_to": "String",
"bpf": "String",
"case_id": 42,
"collection_name_suffix": "String",
"id": 42,
"recovery_task_ids": [
42
],
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [
"String"
],
"tags": [
"String"
]
}
]

POST /forensics/capture/recoveries
Creates a new capture recovery.

Creates a new recovery.

Table 1677. POST /forensics/capture/recoveries resource details
MIME Type
application/json

Table 1678. POST /forensics/capture/recoveries request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

850 QRadar API Reference Guide

Table 1679. POST /forensics/capture/recoveries request body details
MIME
Parameter Data Type Type Description Sample
recovery Object application/null { "assigned_to": "String", "bpf": "String",
json "case_id": 42, "collection_name_suffix":
"String", "recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [ "String" ], "tags": [ "String"
]}

Table 1680. POST /forensics/capture/recoveries response codes

HTTP Response
Code Unique Code Description
201 The workflow recovery job was created.
403 1009 The user or targeted user does not have the
capability to perform this request.
409 1000 null
422 1005 A request parameter is not valid.
500 1020 An error occurred during the creation of the
recovery job.

Response Description

The newly created recovery that contains the following fields:

v assigned_to - String - The username of the user the recovery is assigned to. If
not supplied the recovery will be assigned to the user making the request.
Requires a valid user with Forensics role. Not an authorized service.
v bpf - String - The Berkeley Packet Filter to pass to the capture device. A
simplified Berkley Packet Filter expression to pass to the capture device to apply
when recovering network data. Maximum length is 250 characters
v case_id - String - ID of the case where the collection(s) are created.
v collection_name_suffix - String - Suffix that is used to name the collection(s) to
store the recovered data in. Collection name(s) for recovery tasks are derived
from this value and capture devices where network data originates as a recovery
task is created for each device. (e.g. A collection name suffix of "mycollection"
and data recovered from capture device IP "10.0.0.2" results in a collection that is
named "10.0.0.2_mycollection"). NOTE: If the collection name already exists in
the case the existing collection is deleted. Maximum length is 100 characters.
Alphanumeric and period characters are permitted only.
v id - Long - ID for the recovery.
v recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this
recovery.
v recovery_window_end_time - Long - End of time range for data recovery.
v recovery_window_start_time - Long - Start of time range for data recovery.
v tags - String - Identifiers applied to recovered data to assist with grouping when
searching. These are user supplied string identifiers that are used to mark the
data so the user can easily look up the data later. Maximum length 255
alphanumeric characters (all values converted to space separated string)

Chapter 7. Previous REST API versions 851

 Response Sample
{
"assigned_to": "String",
"bpf": "String",
"case_id": 42,
"collection_name_suffix": "String",
"id": 42,
"recovery_task_ids": [
42
],
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [
"String"
],
"tags": [
"String"
]
}

GET /forensics/capture/recoveries/{id}
Retrieves a recovery based on the supplied ID.

Retrieves a recovery based on the supplied ID.

Table 1681. GET /forensics/capture/recoveries/{id} resource details
MIME Type
application/json

Table 1682. GET /forensics/capture/recoveries/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain Required - The ID of
(Integer) the workflow job to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1683. GET /forensics/capture/recoveries/{id} response codes

HTTP Response
Code Unique Code Description
404 1002 No recovery job was found for the provided ID.
500 1020 An error occurred during the retrieval of the
recovery job.

852 QRadar API Reference Guide

Response Description

A recovery that contains the following fields:

v assigned_to - String - The username of the user the recovery is assigned to.
v bpf - String - The Berkeley Packet Filter to pass to the capture device.
v case_id - String - ID of the case where the collection(s) are created.
v collection_name_suffix - String - Suffix that is used to name the collection(s) to
store the recovered data in.
v id - Long - ID for the recovery.
v recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this
recovery.
v recovery_window_end_time - Long - End of time range for data recovery.
v recovery_window_start_time - Long - Start of time range for data recovery.
v tags - String - Identifiers applied to recovered data to assist with grouping when
searching. These are user supplied string identifiers that are used to mark the
data so the user can easily look up the data later.

Response Sample
{
"assigned_to": "String",
"bpf": "String",
"case_id": 42,
"collection_name_suffix": "String",
"id": 42,
"recovery_task_ids": [
42
],
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"session_ids": [
"String"
],
"tags": [
"String"
]
}

GET /forensics/capture/recovery_tasks
Retrieves a list of recovery tasks.

Retrieves a list of recovery tasks.

Table 1684. GET /forensics/capture/recovery_tasks resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 853

 Table 1685. GET /forensics/capture/recovery_tasks request parameter details
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1686. GET /forensics/capture/recovery_tasks response codes

HTTP Response
Code Unique Code Description
200 The workflow recovery job tasks were retrieved.
500 1020 An error occurred while the recovery job task list
was being retrieved.

Response Description

A list of recovery tasks. A recovery task contains the following fields:

v assigned_to - String - The username of the user the recovery task is assigned to.
v bpf - String - Berkeley Packet Filter sent to capture device when recovering.
v capture_device_id - String - Capture device where this task collected its data.
The IP address of the capture device at time of recovery.
v case_id - String - ID of case where the collection is created.
v collection_name - String - Name of collection where recovered data is stored.
Derived from device recovery collection name suffix. NOTE: This is used as part
of the collection_name to uniquely identify and index the data at time of
recovery and is not updated if the capture device IP address is changed.
v id - Long - ID for the recovery task.
v managed_host_hostname - String - The managed host the recovery task is
running on.
v recovery_id - Long - ID of the recovery this task belongs to.

854 QRadar API Reference Guide

v recovery_window_end_time - Long - End of time range for data recovery
window sent to capture device. Data recovered is from before this time.
v recovery_window_start_time - Long - Start of time range for data recovery
window sent to capture device. Data recovered is from after this time.
v status - String - Current status of this task. Possible values are:
CANCELED - Recovery from capture device canceled. Any documents
recovered before cancellation remain in the system.
CANCELLING - Recovery from capture device in process of cancellation
FAILED - Something went wrong with the recovery.
IN_PROGRESS - The capture device is processing the recovery.
NEW - The recovery task was created and is waiting to be picked up by the
system.
PENDING - The recovery task was picked up by the system and is waiting
for the capture device to start processing the recovery.
SUCCESS - Recovery from capture device successfully completed
v tags - String Array - Identifiers that are applied to recovered data to assist with
grouping when searching. These are user-supplied string identifiers that are
used to mark the data so the user can easily look up the data later.
v task_end_time - Long - Timestamp the recovery task completed.
v task_start_time - Long - Timestamp the recovery task started.

Response Sample
[
{
"assignee": "String",
"bpf": "String",
"capture_device_ip": "String",
"case_id": 42,
"collection_name": "String",
"id": 42,
"managed_host_hostname": "String",
"recovery_id": 42,
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"status": "String <one of: CANCELED,
CANCELING,
FAILED,
IN_PROGRESS,
NEW,
PENDING,
SUCCESS>",
"tags": [
"String"
],
"task_end_time": 42,
"task_start_time": 42
}
]

GET /forensics/capture/recovery_tasks/{id}
Retrieves a recovery task based on the supplied ID.

Retrieves a recovery task based on the supplied ID.

Chapter 7. Previous REST API versions 855

 Table 1687. GET /forensics/capture/recovery_tasks/{id} resource details
MIME Type
application/json

Table 1688. GET /forensics/capture/recovery_tasks/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain Required - The ID of
(Integer) the workflow job to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1689. GET /forensics/capture/recovery_tasks/{id} response codes

HTTP Response
Code Unique Code Description
200 The Workflow Recovery Job was retrieved.
404 1002 No recovery job was found for the provided ID.
500 1020 An error occurred while the recovery job was being
retrieved.

Response Description

A recovery task containing the following fields:

v assigned_to - String - The username of the user the recovery task is assigned to.
v bpf - String - Berkeley Packet Filter sent to capture device when recovering.
v capture_device_id - String - Capture device where this task collected its data.
The IP address of the capture device at time of recovery.
v case_id - String - Id of case where the collection is created.
v collection_name - String - Name of collection where recovered data is stored.
Derived from device recovery collection name suffix. NOTE: This is used as part
of the collection_name to uniquely identify and index the data at time of
recovery and is not updated if the capture device ip address is changed.
v id - Long - ID for the recovery task.
v managed_host_hostname - String - The managed host where the recovery task
runs.
v recovery_id - Long - ID of the recovery this task belongs to.
v recovery_window_end_time - Long - End of time range for data recovery
window sent to capture device. Data recovered is from before this time.
v recovery_window_start_time - Long - Start of time range for data recovery
window sent to capture device. Data recovered is from after this time.

856 QRadar API Reference Guide

v status - String - Current status of this task. Possible values are:
CANCELED - Recovery from capture device canceled. Any documents
recovered before cancellation remain in the system.
CANCELLING - Recovery from capture device in process of cancellation.
FAILED - Something went wrong with the recovery.
IN_PROGRESS - The capture device is processing the recovery.
NEW - The recovery task was created and is waiting to be picked up by the
system.
PENDING - The recovery task was picked up by the system and is waiting
for the capture device to start processing the recovery.
SUCCESS - Recovery from capture device successfully completed
v tags - String Array - Identifiers that are applied to recovered data to assist with
grouping when searching. These are user-supplied string identifiers that are
used to mark the data so the user can easily look up the data later.
v task_end_time - Long - Timestamp the recovery task completed.
v task_start_time - Long - Timestamp the recovery task started.

Response Sample
{
"assignee": "String",
"bpf": "String",
"capture_device_ip": "String",
"case_id": 42,
"collection_name": "String",
"id": 42,
"managed_host_hostname": "String",
"recovery_id": 42,
"recovery_window_end_time": 42,
"recovery_window_start_time": 42,
"status": "String <one of: CANCELED,
CANCELING,
FAILED,
IN_PROGRESS,
NEW,
PENDING,
SUCCESS>",
"tags": [
"String"
],
"task_end_time": 42,
"task_start_time": 42
}

GET /forensics/case_management/case_create_tasks/{id}
Retrieves a case create task based on the supplied id.

Retrieves a case create task based on the supplied id.

Table 1690. GET /forensics/case_management/case_create_tasks/{id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 857

 Table 1691. GET /forensics/case_management/case_create_tasks/{id} request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain Required - The id of
(Integer) the case create task to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1692. GET /forensics/case_management/case_create_tasks/{id} response codes

HTTP Response
Code Unique Code Description
200 The case create task was retrieved.
404 1002 No case create task was found for the provided ID.
500 1020 An error occurred during the retrieval of the case
create task.

Response Description

A case create task containing the following fields:

v assigned_to - String Array - Usernames of users to give access to the case once it
is created. Users must have the FORENSICS role. Authorized services are not
allowed.
v case_id - Long - ID for the created case .
v case_name - String - Name to give the created case.
v id - Long - ID for the case create task.
v status - String - Possible values are:
COMPLETE - The case has been created across all managed hosts.
PARTIALLY_COMPLETE - The case was created on at least one managed
host, but not all of them. The case is considered to be usable, but functionality
might be limited. This usually means one or more managed hosts are down
and the case is not created yet. The task completes after all offending
managed hosts either complete the task, or are removed from the
deployment.
PROCESSING - The task has been picked up by QRadar and is actively
being processed. Cases are being created on the managed hosts.
WAITING - The task is waiting for its time to be processed. Nothing is being
done at this time.

858 QRadar API Reference Guide

Response Sample
{
"assigned_to": [
"String"
],
"case_id": 42,
"id": 42,
"name": "String",
"state": "String <one of: COMPLETE,
PARTIALLY_COMPLETE,
PROCESSING,
WAITING>"
}

GET /forensics/case_management/cases
Retrieves a list of cases.

Retrieves a list of cases.

Table 1693. GET /forensics/case_management/cases resource details
MIME Type
application/json

Table 1694. GET /forensics/case_management/cases request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1695. GET /forensics/case_management/cases response codes

HTTP Response
Code Unique Code Description
200 The cases were retrieved.

Chapter 7. Previous REST API versions 859

 Table 1695. GET /forensics/case_management/cases response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred during the retrieval of the case
list.

Response Description

A list of cases. A case contains the following fields:

v assigned_to - String Array - Usernames of the users who have access to the case.
Users must have the FORENSICS role. Authorized services are not allowed.
v id - Long - ID for the case.
v name - String - The name of the case.

Response Sample
[
{
"assigned_to": [
"String"
],
"id": 42,
"name": "String"
}
]

POST /forensics/case_management/cases
Creates a new case.

Creates a new case.

Table 1696. POST /forensics/case_management/cases resource details
MIME Type
application/json

Table 1697. POST /forensics/case_management/cases request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

860 QRadar API Reference Guide

Table 1698. POST /forensics/case_management/cases request body details
MIME
Parameter Data Type Type Description Sample
case Object application/ null { "assigned_to": [
json "String" ], "name":
"String" }

Table 1699. POST /forensics/case_management/cases response codes

HTTP Response
Code Unique Code Description
201 The case was created.
403 1009 The user or targeted user does not have the
capability to perform this request.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the creation of the case.

Response Description

The case create status contains the following fields:

v assigned_to - String Array - Usernames of users to give access to the case once it
is created. Users must have the FORENSICS role. Authorized services are not
allowed. If the case is not assign to anyone, it is assigned to the creator if they
are a user (not authorized service). Otherwise, it is only accessible by an
administrator. NOTE: During creation the assigned_to list can contain at most
one username.
v case_id - Long - ID for the created case.
v case_name - String - Name to give the created case. The case name must include
alphanumeric characters only, and be 1-15 characters long with no spaces. Case
names are unique.
v id - Long - ID for the case create task.
v status - String - Possible values are:
COMPLETE - The case has been created across all managed hosts.
PARTIALLY_COMPLETE - The case has been created on at least one
managed host, but not all of them. The case is considered to be usable, but
functionality might be limited. This usually means one or more managed
hosts are down and the case is not created yet. The task completes after all
offending managed hosts either complete the task or are removed from the
deployment.
PROCESSING - The task was picked up by QRadar and is actively being
processed. Cases are being created on the managed hosts.
WAITING - The task is waiting for its time to be processed. Nothing is being
done at this time.

Response Sample
{
"assigned_to": [
"String"
],
"case_id": 42,
"id": 42,
"name": "String",

Chapter 7. Previous REST API versions 861

 "state": "String <one of: COMPLETE,
PARTIALLY_COMPLETE,
PROCESSING,
WAITING>"
}

GET /forensics/case_management/cases/{id}
Retrieves a case based on the supplied id.

Retrieves a case based on the supplied ID.

Table 1700. GET /forensics/case_management/cases/{id} resource details
MIME Type
application/json

Table 1701. GET /forensics/case_management/cases/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain Required - The ID of
(Integer) the workflow job to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1702. GET /forensics/case_management/cases/{id} response codes

HTTP Response
Code Unique Code Description
404 1002 No case was found for the provided ID.
500 1020 An error occurred during the retrieval of the case.

Response Description

A case that contains the following fields:

v assigned_to - String Array - Usernames of the users who have access to the case.
Users must have the FORENSICS role. Authorized services are not allowed.
v id - Long - ID for the case.
v name - String - The name of the case.

Response Sample
{
"assigned_to": [
"String"

862 QRadar API Reference Guide

 ],
"id": 42,
"name": "String"
}

GUI application framework endpoints

Use the references for REST API V7.0 GUI application framework endpoints.

GET /gui_app_framework/application_creation_task
Retrieve status details.

Retrieve a list of status details of all asynchronous requests to create applications.

Table 1703. GET /gui_app_framework/application_creation_task resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 1704. GET /gui_app_framework/application_creation_task response codes
HTTP Response
Code Unique Code Description
200 Application Creation Request list was retrieved.
500 1020 An error occurred while attempting to retrieve the
list of status details.

Response Description

The details of the requests to create applications.

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

POST /gui_app_framework/application_creation_task
Creates a new application within the Application framework.

Chapter 7. Previous REST API versions 863

 Create a new application within the Application framework, and register it with
QRadar. The application is created asynchronously. A reference to the
application_id is returned and should be used in subsequent API calls to determine
the status of the application installation.
Table 1705. POST /gui_app_framework/application_creation_task resource details
MIME Type
application/json

Table 1706. POST /gui_app_framework/application_creation_task request body details

Parameter Data Type MIME Type Description Sample

package zip application/zip A zip file, that contains null

custom code, and a
application manifest JSON file
descriptor

Table 1707. POST /gui_app_framework/application_creation_task response codes

HTTP Response
Code Unique Code Description
201 The application was installed and registered
successfully.

409 1008 An application with that UUID is already installed.

Only an upgrade or delete can be performed in this
state.
422 1005 The provided application is invalid. See messages
for further details.
500 1020 The application could not be created.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

864 QRadar API Reference Guide

GET /gui_app_framework/application_creation_task/
{application_id}
Retrieve a list of status details of a asynchronous request to create application.
Table 1708. GET /gui_app_framework/application_creation_task/{application_id} resource
details
MIME Type
application/json

Table 1709. GET /gui_app_framework/application_creation_task/{application_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - Get the status
(Integer) details of this application
defined by application_id
returned by the initial
POST on
application_creation_task.

Table 1710. GET /gui_app_framework/application_creation_task/{application_id} response

codes
HTTP Response
Code Unique Code Description
200 Application Creation Request list was retrieved.
404 1002 The application_id is invalid or could not be found.
500 1020 An error occurred while attempting to retrieve the
list of status details.

Response Description

The details of the request to create application.

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

Chapter 7. Previous REST API versions 865

 POST /gui_app_framework/application_creation_task/
{application_id}
Cancel a new application install within the Application framework.

Use this endpoint to cancel a new application install within the Application
framework. The application_id and a status are required.
Table 1711. POST /gui_app_framework/application_creation_task/{application_id} resource
details
MIME Type
application/json

Table 1712. POST /gui_app_framework/application_creation_task/{application_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The
(Integer) application_id to cancel
installing.
status query Required String text/plain Required - The status to
update the application
install to. Currently only
CANCELLED is
supported

Table 1713. POST /gui_app_framework/application_creation_task/{application_id} response

codes
HTTP Response
Code Unique Code Description
200 The application installation was canceled and
unregistered successfully.
404 1002 The application_id is invalid or could not be found.
422 1005 The status is not valid.
500 1020 An error occurred when attempting to update the
Application request state.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"

866 QRadar API Reference Guide

 }
]
}
]

GET /gui_app_framework/applications
Retrieve list of applications

Retrieve a list of applications that are installed on the console, with their manifest
json structures and current status.
Table 1714. GET /gui_app_framework/applications resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 1715. GET /gui_app_framework/applications response codes
HTTP Response
Code Unique Code Description
200 The database list was retrieved.
500 1020 An error occurred while attempting to retrieve the
list of applications.

Response Description

The list of applications.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [

Chapter 7. Previous REST API versions 867

 {
"text":"Sample Item",
"description":"Sample dashboard item that is a copy of
most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",

868 QRadar API Reference Guide

 "description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

GET /gui_app_framework/applications/{application_id}
Retrieve specific application

Retrieve a specific application installed on the console with manifest json structure
and current status.
Table 1716. GET /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 869

 Table 1717. GET /gui_app_framework/applications/{application_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - Get specific
(Integer) installed application
defined by application_id
returned by the initial
POST on
application_creation_task.

Table 1718. GET /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
200 The application was retrieved.
404 1002 The application_id is invalid or could not be found.
500 1020 An error occurred while attempting to retrieve the
application.

Response Description

The specific application.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy of
most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}

870 QRadar API Reference Guide

],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},

Chapter 7. Previous REST API versions 871

 {
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

POST /gui_app_framework/applications/{application_id}
Update an Application

Start or stop an application by setting status to RUNNING or STOPPED

respectively.
Table 1719. POST /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 1720. POST /gui_app_framework/applications/{application_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - The
(Integer) applicationId of the
application to
update.

872 QRadar API Reference Guide

Table 1720. POST /gui_app_framework/applications/{application_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
status query Required String text/plain Required - The
status of the
application to set to
RUNNING or
STOPPED.

Table 1721. POST /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
200 The application has been successfully updated
404 1002 The application_id does not exist.
409 1008 The application is locked by another process.
422 1005 The application status is not valid.
500 1020 An error occurred while attempting to update the
application.

Response Description

Application structure including application status.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy

Chapter 7. Previous REST API versions 873

 of most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",

874 QRadar API Reference Guide

 "javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

PUT /gui_app_framework/applications/{application_id}
Upgrade an application.

Upgrade an application.
Table 1722. PUT /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 1723. PUT /gui_app_framework/applications/{application_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 875

 Table 1724. PUT /gui_app_framework/applications/{application_id} request body details
Parameter Data Type MIME Type Description Sample
package zip application/zip A zip file, that contains null
custom code, and a
application manifest
JSON file descriptor

Table 1725. PUT /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
202 The request for an application upgrade was
accepted.
404 1002 The application_id is invalid or could not be found.
409 1008 The application is locked by another process.
422 1005 The provided application is invalid. See messages
for further details.
500 1020 The application could not be created.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

DELETE /gui_app_framework/applications/{application_id}
Delete an Application.
Table 1726. DELETE /gui_app_framework/applications/{application_id} resource details
MIME Type
text/plain

876 QRadar API Reference Guide

 Table 1727. DELETE /gui_app_framework/applications/{application_id} request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - The
(Integer) applicationId of the
application to delete.

Table 1728. DELETE /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
204 The application has been successfully unregistered.
404 1002 The application_id does not exist.
409 1008 The application is locked by another process.
500 1020 An error occurred while attempting to delete the
application.

Response Description

Successful response code 204 No content.

Response Sample

Help endpoints
Use the references for REST API V7.0 Help endpoints.

GET /help/endpoints
Retrieves a list of endpoint documentation objects that are currently in the system.

Retrieves a list of endpoint documentation objects that are currently in the system.
Table 1729. GET /help/endpoints resource details
MIME Type
application/json

Table 1730. GET /help/endpoints request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 7. Previous REST API versions 877

 Table 1730. GET /help/endpoints request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 1731. GET /help/endpoints response codes

HTTP Response
Code Unique Code Description
200 The endpoint documentation list was retrieved.
500 1020 An unexpected error has occurred.

Response Description

An array of endpoint documentation objects. An endpoint documentation object

contains the following fields:
v id - Number - The ID of the endpoint documentation. This ID is not permanent.
It might change any time services are restarted.
v summary - String - A brief summary of the endpoint.
v deprecated - Boolean - Returns true if the endpoint is deprecated. Returns false
otherwise.
v http_method - String - The HTTP request type. One of OPTIONS, GET, HEAD,
POST, PUT, DELETE, TRACE, CONNECT, PATCH.
v error_responses - Array of Objects - A list of potential error responses of this
endpoint.
v error_responses(response_code) - Number - The HTTP code for this error
response.
v error_responses(description) - String - The description for this error response.
v error_responses(unique_code) - Number - The unique code for this error
response.
v error_responses(response_code_description) - String - The description of the
response.
v response_description - String - The description of the response.
v version - String - The version of this endpoint.

878 QRadar API Reference Guide

v success_responses - Array of Objects - A list of potential success responses for
this endpoint.
v success_responses(response_code) - Number - The HTTP code for this response.
v success_responses(description) - String - The description of this response.
v success_responses(response_code_description) - String - The name for the
response code from RFC 2616.
v description - String - A description of this endpoint.
v path - String - The path of this endpoint.
v response_mime_types - Array of Objects - A list of possible response MIME
types for this endpoint.
v response_mime_types(mime_type) - String - The MIME type.
v response_mime_types(sample) - String - The sample of this response MIME
type.
v parameters - Array of Objects - A list of user parameters for this endpoint.
v parameters(description) - String - A description of this parameter.
v parameters(default_value) - String - The default value of this parameter. Null if
there is no default value for this parameter. This is always a String, regardless of
the underlying data type of the parameter.
v parameters(type) - String - The type of parameter, one of QUERY, HEADER,
PATH, BODY.
v parameters(parameter_name) - String - The name of this parameter.
v parameters(mime_types) - Array of Objects - A list of possible mime_types for
this parameter.
v parameters(mime_types(data_type)) - String - A description of the data type of
this parameter.
v parameters(mime_types(mime_type)) - String - The MIME type of the
parameter.
v parameters(mime_types(sample)) - String - The sample for this parameter.
v resource_id - Number - The ID of the associated resource.
v last_modified_version - String - The API version this endpoint was last
modified. It is less than or equal to the version in the version field.
v caller_has_access - Boolean - True if the user has the required capabilities to call
this endpoint, false otherwise.

Response Sample
[
{
"caller_has_access": true,
"deprecated": true,
"description": "String",
"error_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String",
"unique_code": 42
}
],
"http_method": "String <one of: OPTIONS,
GET,
HEAD,
POST,
PUT,
DELETE,

Chapter 7. Previous REST API versions 879

 TRACE,
CONNECT,
PATCH>",
"id": 42,
"last_modified_version": "String",
"parameters": [
{
"default_value": "String",
"description": "String",
"mime_types": [
{
"data_type": "String",
"mime_type": "String",
"sample": "String"
}
],
"parameter_name": "String",
"type": "String <one of: QUERY,
HEADER,
PATH,
BODY>"
}
],
"path": "String",
"resource_id": 42,
"response_description": "String",
"response_mime_types": [
{
"mime_type": "String",
"sample": "String"
}
],
"success_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String"
}
],
"summary": "String",
"version": "String"
}
]

GET /help/endpoints/{endpoint_id}
Retrieves a single endpoint documentation object.

Retrieves a single endpoint documentation object.

Table 1732. GET /help/endpoints/{endpoint_id} resource details
MIME Type
application/json

Table 1733. GET /help/endpoints/{endpoint_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
endpoint_id path Required Number text/plain The endpoint id.
(Integer)

880 QRadar API Reference Guide

Table 1733. GET /help/endpoints/{endpoint_id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1734. GET /help/endpoints/{endpoint_id} response codes

HTTP Response
Code Unique Code Description
200 The endpoint documentation object was retrieved.
404 1002 No endpoint documentation object was found for
the provided endpoint id.
500 1020 An unexpected error has occurred.

Response Description

An endpoint documentation object. An endpoint documentation object contains the

following fields:
v id - Number - The ID of the endpoint documentation. This ID is not permanent.
It might change any time services are restarted.
v summary - String - A brief summary of the endpoint.
v deprecated - Boolean - Returns true if the endpoint is deprecated. Returns false
otherwise.
v http_method - String - The HTTP request type. One of OPTIONS, GET, HEAD,
POST, PUT, DELETE, TRACE, CONNECT, PATCH.
v error_responses - Array of Objects - A list of potential error responses of this
endpoint.
v error_responses(response_code) - Number - The HTTP code for this error
response.
v error_responses(description) - String - The description for this error response.
v error_responses(unique_code) - Number - The unique code for this error
response.
v error_responses(response_code_description) - String - The description of the
response.
v response_description - String - The description of the response.
v version - String - The version of this endpoint.
v success_responses - Array of Objects - A list of potential success responses for
this endpoint.
v success_responses(response_code) - Number - The HTTP code for this response.
v success_responses(description) - String - The description of this response.

Chapter 7. Previous REST API versions 881

 v success_responses(response_code_description) - String - The name for the
response code from RFC 2616.
v description - String - A description of this endpoint.
v path - String - The path of this endpoint.
v response_mime_types - Array of Objects - A list of possible response MIME
types for this endpoint.
v response_mime_types(mime_type) - String - The MIME type.
v response_mime_types(sample) - String - The sample of this response MIME
type.
v parameters - Array of Objects - A list of user parameters for this endpoint.
v parameters(description) - String - A description of this parameter.
v parameters(default_value) - String - The default value of this parameter. Null if
there is no default value for this parameter. This is always a String, regardless of
the underlying data type of the parameter.
v parameters(type) - String - The type of parameter, one of QUERY, HEADER,
PATH, BODY.
v parameters(parameter_name) - String - The name of this parameter.
v parameters(mime_types) - Array of Objects - A list of possible mime_types for
this parameter.
v parameters(mime_types(data_type)) - String - A description of the data type of
this parameter.
v parameters(mime_types(mime_type)) - String - The MIME type of the
parameter.
v parameters(mime_types(sample)) - String - The sample for this parameter.
v resource_id - Number - The ID of the associated resource.
v last_modified_version - String - The API version this endpoint was last
modified. It will be less than or equal to the version in the version field.
v caller_has_access - Boolean - Returns true if the user has the required
capabilities to call this endpoint. Returns false otherwise.

Response Sample
{
"caller_has_access": true,
"deprecated": true,
"description": "String",
"error_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String",
"unique_code": 42
}
],
"http_method": "String <one of: OPTIONS,
GET,
HEAD,
POST,
PUT,
DELETE,
TRACE,
CONNECT,
PATCH>",
"id": 42,
"last_modified_version": "String",
"parameters": [
{

882 QRadar API Reference Guide

 "default_value": "String",
"description": "String",
"mime_types": [
{
"data_type": "String",
"mime_type": "String",
"sample": "String"
}
],
"parameter_name": "String",
"type": "String <one of: QUERY,
HEADER,
PATH,
BODY>"
}
],
"path": "String",
"resource_id": 42,
"response_description": "String",
"response_mime_types": [
{
"mime_type": "String",
"sample": "String"
}
],
"success_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String"
}
],
"summary": "String",
"version": "String"
}

GET /help/resources
Retrieves a list of resource documentation objects currently in the system.

Retrieves a list of resource documentation objects currently in the system.

Table 1735. GET /help/resources resource details
MIME Type
application/json

Table 1736. GET /help/resources request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 7. Previous REST API versions 883

 Table 1736. GET /help/resources request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 1737. GET /help/resources response codes

HTTP Response
Code Unique Code Description
200 The resource documentation list was retrieved.
500 1020 An unexpected error has occurred.

Response Description

An array of resource documentation objects. A resource documentation object

contains the following fields:
v id - Number - The ID of the resource documentation object. This ID is not
permanent. It might change any time services are restarted.
v child_resource_ids - Array of Numbers - A list of resource documentation IDs
that are the children of this resource.
v endpoint_ids - Array of Numbers - A list of endpoint documentation IDs for
endpoints on this resource.
v resource - String - The current resource.
v path - String - The full path of the current resource.
v parent_resource_id - Number - The resource documentation ID of the parent of
this resource. Null if this is a root resource.
v version - String - The version of this resource.

Response Sample
[
{
"child_resource_ids": [
42
],
"endpoint_ids": [
42
],

884 QRadar API Reference Guide

 "id": 42,
"parent_resource_id": 42,
"path": "String",
"resource": "String",
"version": "String"
}
]

GET /help/resources/{resource_id}
Retrieves a single resource documentation object.

Retrieves a single resource documentation object.

Table 1738. GET /help/resources/{resource_id} resource details
MIME Type
application/json

Table 1739. GET /help/resources/{resource_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
resource_id path Required Number text/plain The resource id.
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1740. GET /help/resources/{resource_id} response codes

HTTP Response
Code Unique Code Description
200 The resource documentation object was retrieved.
404 1002 No resource documentation object was found for the
provided resource ID.
500 1020 An unexpected error has occurred.

Response Description

A resource documentation object. A resource documentation object contains the

following fields:
v id - Number - The ID of the resource documentation object. This ID is not
permanent. It might change any time services are restarted.
v child_resource_ids - Array of Numbers - A list of resource documentation IDs
that are the children of this resource.
v endpoint_ids - Array of Numbers - A list of endpoint documentation IDs for
endpoints on this resource.
v resource - String - The current resource.

Chapter 7. Previous REST API versions 885

 v path - String - The full path of the current resource.
v parent_resource_id - Number - The resource documentation ID of the parent of
this resource. Null if this is a root resource.
v version - String - The version of this resource.

Response Sample
{
"child_resource_ids": [
42
],
"endpoint_ids": [
42
],
"id": 42,
"parent_resource_id": 42,
"path": "String",
"resource": "String",
"version": "String"
}

GET /help/versions
Retrieves a list of version documentation objects currently in the system.

Retrieves a list of version documentation objects currently in the system.

Table 1741. GET /help/versions resource details
MIME Type
application/json

Table 1742. GET /help/versions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

886 QRadar API Reference Guide

Table 1743. GET /help/versions response codes
HTTP Response
Code Unique Code Description
200 The version documentation list was retrieved.
500 1020 An unexpected error has occurred.

Response Description

An array of version documentation objects. A version documentation object

contains the following fields:
v id - Number - The ID of the version documentation object. This ID is not
permanent. It might change any time services are restarted.
v deprecated - Boolean - Returns true if this version is deprecated. Returns false
otherwise.
v removed - Boolean - Returns true if this version is removed. Returns false
otherwise. Endpoints cannot be called from an API version that is removed.
v root_resource_ids - Array of Numbers - Resource IDs of the root resources in
this version of the API.
v version - String - The API version that this version documentation represents.

Response Sample
[
{
"deprecated": true,
"id": 42,
"removed": true,
"root_resource_ids": [
42
],
"version": "String"
}
]

GET /help/versions/{version_id}
Retrieves a single version documentation object.

Retrieves a single version documentation object.

Table 1744. GET /help/versions/{version_id} resource details
MIME Type
application/json

Table 1745. GET /help/versions/{version_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
version_id path Required Number text/plain The ID of the version
(Integer) documentation to
retrieve.

Chapter 7. Previous REST API versions 887

 Table 1745. GET /help/versions/{version_id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1746. GET /help/versions/{version_id} response codes

HTTP Response
Code Unique Code Description
200 The version documentation object was retrieved.
404 1002 No version documentation object was found for the
provided version id.
500 1020 An unexpected error has occurred.

Response Description

A version documentation object. A version documentation object contains the

following fields:
v id - Number - The ID of the version documentation object. This ID is not
permanent. It might change any time services are restarted.
v deprecated - Boolean - Returns true if this version is deprecated. Returns false
otherwise.
v removed - Boolean - Returns true if this version is removed. Returns false
otherwise. Endpoints cannot be called with an API version that is removed.
v root_resource_ids - Array of Numbers - Resource IDs of the root resources in
this version of the API.
v version - String - The API version that this version documentation represents.

Response Sample
{
"deprecated": true,
"id": 42,
"removed": true,
"root_resource_ids": [
42
],
"version": "String"
}

IBM Security QRadar Risk Manager endpoints

Use the references for REST API V7.0 QRadar Risk Manager endpoints.

888 QRadar API Reference Guide

GET /qrm/model_groups
Retrieves a list of model groups.

Retrieves a list of model groups.

Table 1747. GET /qrm/model_groups resource details
MIME Type
application/json

Table 1748. GET /qrm/model_groups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1749. GET /qrm/model_groups response codes

HTTP Response
Code Unique Code Description
200 The model groups were retrieved.
500 1020 An error occurred during the attempt to retrieve the
model groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.

Chapter 7. Previous REST API versions 889

 v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/model_groups/{group_id}
Retrieves a model group.

Retrieves a model group.

Table 1750. GET /qrm/model_groups/{group_id} resource details
MIME Type
application/json

Table 1751. GET /qrm/model_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

890 QRadar API Reference Guide

Table 1751. GET /qrm/model_groups/{group_id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1752. GET /qrm/model_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The model group was retrieved.
404 1002 The model group does not exist.
500 1020 An error occurred during the attempt to retrieve the
model group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",

Chapter 7. Previous REST API versions 891

 "owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/model_groups/{group_id}
Updates the owner of a model group.

Updates the owner of a model group.

Table 1753. POST /qrm/model_groups/{group_id} resource details
MIME Type
application/json

Table 1754. POST /qrm/model_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

892 QRadar API Reference Guide

Table 1755. POST /qrm/model_groups/{group_id} request body details
MIME
Parameter Data Type Type Description Sample
group Object application/ Required - Group object { "child_groups": [ 42 ], "child_items": [ "String"
json with the owner set to a ], "description": "String", "id": 42, "level": 42,
valid deployed user. "name": "String", "owner": "String", "parent_id":
42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Table 1756. POST /qrm/model_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The model group was updated.
404 1002 The model group does not exist.
409 1004 The provided user does not have the required
capabilities to own the model group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
model group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"

Chapter 7. Previous REST API versions 893

 ],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/model_groups/{group_id}
Deletes a model group.

Deletes a model group.

Table 1757. DELETE /qrm/model_groups/{group_id} resource details
MIME Type
text/plain

Table 1758. DELETE /qrm/model_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Table 1759. DELETE /qrm/model_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
204 The model group was deleted.
404 1002 The model group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
model group.

Response Description

Response Sample

GET /qrm/qrm_saved_search_groups
Retrieves a list of QRM saved search groups.

Retrieves a list of QRM saved search groups.

894 QRadar API Reference Guide

Table 1760. GET /qrm/qrm_saved_search_groups resource details
MIME Type
application/json

Table 1761. GET /qrm/qrm_saved_search_groups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1762. GET /qrm/qrm_saved_search_groups response codes

HTTP Response
Code Unique Code Description
200 The QRM saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the
QRM saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).

Chapter 7. Previous REST API versions 895

 v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/qrm_saved_search_groups/{group_id}
Retrieves a QRM saved search group.

Retrieves a QRM saved search group.

Table 1763. GET /qrm/qrm_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1764. GET /qrm/qrm_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

896 QRadar API Reference Guide

Table 1764. GET /qrm/qrm_saved_search_groups/{group_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1765. GET /qrm/qrm_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The QRM saved search group was retrieved.
404 1002 The QRM saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the
QRM saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,

Chapter 7. Previous REST API versions 897

 "name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/qrm_saved_search_groups/{group_id}
Updates the owner of a QRM saved search group.

Updates the owner of a QRM saved search group.

Table 1766. POST /qrm/qrm_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1767. POST /qrm/qrm_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1768. POST /qrm/qrm_saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/json Required - Group object { "child_groups": [ 42 ], "child_items": [ "String" ],
with the owner set to a "description": "String", "id": 42, "level": 42, "name":
valid deployed user. "String", "owner": "String", "parent_id": 42, "type":
"String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

898 QRadar API Reference Guide

Table 1769. POST /qrm/qrm_saved_search_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
200 The QRM saved search group was updated.
404 1002 The QRM saved search group does not exist.
409 1004 The provided user does not have the required
capabilities to own the QRM saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
QRM saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,

Chapter 7. Previous REST API versions 899

 TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/qrm_saved_search_groups/{group_id}
Deletes a QRM saved search group.

Deletes a QRM saved search group.

Table 1770. DELETE /qrm/qrm_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 1771. DELETE /qrm/qrm_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Table 1772. DELETE /qrm/qrm_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
204 The QRM saved search group was deleted.
404 1002 The QRM saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
QRM saved search group.

Response Description

Response Sample

GET /qrm/question_groups
Retrieves a list of question groups.

Retrieves a list of question groups.

Table 1773. GET /qrm/question_groups resource details
MIME Type
application/json

900 QRadar API Reference Guide

Table 1774. GET /qrm/question_groups request parameter details
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1775. GET /qrm/question_groups response codes

HTTP Response
Code Unique Code Description
200 The question groups were retrieved.
500 1020 An error occurred during the attempt to retrieve the
question groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Chapter 7. Previous REST API versions 901

 Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/question_groups/{group_id}
Retrieves a question group.

Retrieves a question group.

Table 1776. GET /qrm/question_groups/{group_id} resource details
MIME Type
application/json

Table 1777. GET /qrm/question_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

902 QRadar API Reference Guide

Table 1778. GET /qrm/question_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
200 The question group was retrieved.
404 1002 The question group does not exist.
500 1020 An error occurred during the attempt to retrieve the
question group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Chapter 7. Previous REST API versions 903

 POST /qrm/question_groups/{group_id}
Updates the owner of a question group.

Updates the owner of a question group.

Table 1779. POST /qrm/question_groups/{group_id} resource details
MIME Type
application/json

Table 1780. POST /qrm/question_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1781. POST /qrm/question_groups/{group_id} request body details

MIME
Parameter Data Type Type Description Sample
group Object application/ Required - Group object { "child_groups": [ 42 ], "child_items": [ "String"
json with the owner set to a ], "description": "String", "id": 42, "level": 42,
valid deployed user. "name": "String", "owner": "String", "parent_id":
42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Table 1782. POST /qrm/question_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The question group was updated.
404 1002 The question group does not exist.
409 1004 The provided user does not have the required
capabilities to own the question group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
question group.

904 QRadar API Reference Guide

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/question_groups/{group_id}
Deletes a question group.

Deletes a question group.

Table 1783. DELETE /qrm/question_groups/{group_id} resource details
MIME Type
text/plain

Chapter 7. Previous REST API versions 905

 Table 1784. DELETE /qrm/question_groups/{group_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Table 1785. DELETE /qrm/question_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
204 The question group was deleted.
404 1002 The question group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
question group.

Response Description

Response Sample

GET /qrm/simulation_groups
Retrieves a of list the simulation groups.

Retrieves a list of the simulation groups.

Table 1786. GET /qrm/simulation_groups resource details
MIME Type
application/json

Table 1787. GET /qrm/simulation_groups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

906 QRadar API Reference Guide

Table 1787. GET /qrm/simulation_groups request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1788. GET /qrm/simulation_groups response codes

HTTP Response
Code Unique Code Description
200 The simulation groups were retrieved.
500 1020 An error occurred during the attempt to retrieve the
simulation groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",

Chapter 7. Previous REST API versions 907

 "parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qrm/simulation_groups/{group_id}
Retrieves a simulation group.

Retrieves a simulation group.

Table 1789. GET /qrm/simulation_groups/{group_id} resource details
MIME Type
application/json

Table 1790. GET /qrm/simulation_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1791. GET /qrm/simulation_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The simulation group were retrieved.
404 1002 The simulation group does not exist.
500 1020 An error occurred during the attempt to retrieve the
simulation group.

908 QRadar API Reference Guide

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/simulation_groups/{group_id}
Updates the owner of a simulation group.

Updates the owner of a simulation group.

Table 1792. POST /qrm/simulation_groups/{group_id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 909

 Table 1793. POST /qrm/simulation_groups/{group_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1794. POST /qrm/simulation_groups/{group_id} request body details

MIME
Parameter Data Type Type Description Sample
group Object application/ Required - Group object { "child_groups": [ 42 ], "child_items": [ "String"
json with the owner set to a ], "description": "String", "id": 42, "level": 42,
valid deployed user. "name": "String", "owner": "String", "parent_id":
42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Table 1795. POST /qrm/simulation_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The simulation group was updated.
404 1002 The simulation group does not exist.
409 1004 The provided user does not have the required
capabilities to own the simulation group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
simulation group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.

910 QRadar API Reference Guide

v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/simulation_groups/{group_id}
Deletes a simulation group.

Deletes a simulation group.

Table 1796. DELETE /qrm/simulation_groups/{group_id} resource details
MIME Type
text/plain

Table 1797. DELETE /qrm/simulation_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 911

 Table 1798. DELETE /qrm/simulation_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
204 The simulation group has been deleted.
404 1002 The simulation group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
simulation group.

Response Description

Response Sample

GET /qrm/topology_saved_search_groups
Retrieves a list of topology saved search groups.

Retrieves a list of topology saved search groups.

Table 1799. GET /qrm/topology_saved_search_groups resource details
MIME Type
application/json

Table 1800. GET /qrm/topology_saved_search_groups request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

912 QRadar API Reference Guide

Table 1801. GET /qrm/topology_saved_search_groups response codes
HTTP Response
Code Unique Code Description
200 The topology saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the
topology saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

Chapter 7. Previous REST API versions 913

 GET /qrm/topology_saved_search_groups/{group_id}
Retrieves a topology saved search group.

Retrieves a topology saved search group.

Table 1802. GET /qrm/topology_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1803. GET /qrm/topology_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1804. GET /qrm/topology_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The topology saved search group was retrieved.
404 1002 The topology saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the
topology saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

914 QRadar API Reference Guide

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

POST /qrm/topology_saved_search_groups/{group_id}
Updates the owner of an topology saved search group.

Updates the owner of an topology saved search group.

Table 1805. POST /qrm/topology_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1806. POST /qrm/topology_saved_search_groups/{group_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 915

 Table 1807. POST /qrm/topology_saved_search_groups/{group_id} request body details
MIME
Parameter Data Type Type Description Sample
group Object application/ Required - Group object { "child_groups": [ 42 ], "child_items": [ "String"
json with the owner set to a ], "description": "String", "id": 42, "level": 42,
valid deployed user. "name": "String", "owner": "String", "parent_id":
42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Table 1808. POST /qrm/topology_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The topology saved search group was updated.
404 1002 The topology saved search group does not exist.
409 1004 The provided user does not have the required
capabilities to own the topology saved search group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
topology saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"

916 QRadar API Reference Guide

 ],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qrm/topology_saved_search_groups/{group_id}
Deletes a topology saved search group.

Deletes a topology saved search group.

Table 1809. DELETE /qrm/topology_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 1810. DELETE /qrm/topology_saved_search_groups/{group_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Table 1811. DELETE /qrm/topology_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
204 The topology saved search group was deleted.
404 1002 The topology saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
topology saved search group.

Response Description

Response Sample

QRadar Vulnerability Manager endpoints

Use the references for REST API V7.0 QRadar Vulnerability Manager endpoints.

Chapter 7. Previous REST API versions 917

 GET /qvm/assets
List the assets with discovered vulnerabilities present in the asset model. The
response contains all available RESTful resources.
Table 1812. GET /qvm/assets resource details
MIME Type
application/json

Table 1813. GET /qvm/assets request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 1814. GET /qvm/assets response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by asset
completed successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of assets data

Response Sample

GET /qvm/filters
Get a list of the allowable filters that can be used or applied against /qvm
endpoints.
v /qvm/assets
v /qvm/vulns
v /qvm/vulninstances
v /qvm/openservices
v /qvm/networks
v queries
Table 1815. GET /qvm/filters resource details
MIME Type
application/json

There are no parameters for this endpoint.

918 QRadar API Reference Guide

Table 1816. GET /qvm/filters response codes
HTTP Response
Code Unique Code Description
200 The search executed successfully
420 9102 An error occurred while executing the search

Response Description

list of Filters.

Response Sample

GET /qvm/network
List the networks present in the asset model with vulnerabilities present. The
response contains all available RESTful resources
Table 1817. GET /qvm/network resource details
MIME Type
application/json

Table 1818. GET /qvm/network request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 1819. GET /qvm/network response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by network
completed successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of network related data

Response Sample

GET /qvm/openservices
List the openservices present in the asset model with vulnerabilities present. The
response will contain all available RESTful resources

Chapter 7. Previous REST API versions 919

 Table 1820. GET /qvm/openservices resource details
MIME Type
application/json

Table 1821. GET /qvm/openservices request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 1822. GET /qvm/openservices response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by open
service completed successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of open services related data

Response Sample

GET /qvm/saved_search_groups
Retrieves a list of vulnerability saved search groups.

Retrieves a list of vulnerability saved search groups.

Table 1823. GET /qvm/saved_search_groups resource details
MIME Type
application/json

920 QRadar API Reference Guide

Table 1824. GET /qvm/saved_search_groups request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1825. GET /qvm/saved_search_groups response codes

HTTP Response
Code Unique Code Description
200 The vulnerability saved search groups were
returned.
500 1020 An error occurred during the attempt to retrieve the
vulnerability saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Chapter 7. Previous REST API versions 921

 Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /qvm/saved_search_groups/{group_id}
Retrieves a vulnerability saved search group.

Retrieves a vulnerability saved search group.

Table 1826. GET /qvm/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1827. GET /qvm/saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

922 QRadar API Reference Guide

Table 1828. GET /qvm/saved_search_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
200 The vulnerability saved search group was retrieved.
404 1002 The vulnerability saved search group does not exist.
422 1005 null
500 1020 An error occurred during the attempt to retrieve the
vulnerability saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group. (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Chapter 7. Previous REST API versions 923

 POST /qvm/saved_search_groups/{group_id}
Updates the owner of an vulnerability saved search group.

Updates the owner of an vulnerability saved search group.

Table 1829. POST /qvm/saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 1830. POST /qvm/saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1831. POST /qvm/saved_search_groups/{group_id} request body details

Parameter Data Type MIME Type Description Sample
group Object application/json Required - Group object { "child_groups": [ 42 ], "child_items": [ "String" ],
with the owner set to a "description": "String", "id": 42, "level": 42, "name":
valid deployed user. "String", "owner": "String", "parent_id": 42, "type":
"String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP, RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>" }

Table 1832. POST /qvm/saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The vulnerability saved search group was updated.
404 1002 The vulnerability saved search group does not exist.
409 1004 The provided user does not have the required
capabilities to own the vulnerability saved search
group.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
vulnerability saved search group.

924 QRadar API Reference Guide

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default groups can have localized
names).
v description - String - The description of the group (default groups can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of:
LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

DELETE /qvm/saved_search_groups/{group_id}
Deletes a vulnerability saved search group.

Deletes a vulnerability saved search group.

Table 1833. DELETE /qvm/saved_search_groups/{group_id} resource details
MIME Type
text/plain

Chapter 7. Previous REST API versions 925

 Table 1834. DELETE /qvm/saved_search_groups/{group_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Table 1835. DELETE /qvm/saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
204 The vulnerability saved search group was deleted.
404 1002 The vulnerability saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
vulnerability saved search group.

Response Description

Response Sample

GET /qvm/saved_searches
Retrieves a list of vulnerability instance saved searches.

Retrieves a list of vulnerability instance saved searches.

Table 1836. GET /qvm/saved_searches resource details
MIME Type
application/json

Table 1837. GET /qvm/saved_searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

926 QRadar API Reference Guide

Table 1837. GET /qvm/saved_searches request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1838. GET /qvm/saved_searches response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the list of vulnerability
instance saved searches completed successfully.
500 1020 An error occurred while trying to retrieve the list of
saved searches.

Response Description

A list of vulnerability instance saved searches that can be used or applied against:
v /qvm/saved_searches/{saved_search_id}/vuln_instances
v /qvm/assets
v /qvm/vulns
v /qvm/openservices
v /qvm/networks

Each saved search that is returned includes an ID, name, and list of filters that
make up this saved search.

Response Sample
[
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}
]

GET /qvm/saved_searches/vuln_instances/{task_id}/results/
assets
Lists the Vulnerability Instances assets that are returned from the vulnerability
instance saved search.

Chapter 7. Previous REST API versions 927

 Lists the Vulnerability Instances assets that are returned from the saved search.
Table 1839. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets resource
details
MIME Type
application/json

Table 1840. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1841. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets response

codes
HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by instance
completed successfully.
404 1002 Resource not found.
500 1020 An error occurred while retrieving results.

Response Description

A list of assets associated with the vulnerability instance data.

928 QRadar API Reference Guide

Response Sample
[{"risk_policies": [{"passed": true,
"name": "String",
"last_evaluated": 42,
"question_type": "String",
"groups": ["String"]}],
"id": 42,
"domain_id": 42,
"interfaces": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String",
"ip_addresses": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"value": "String",
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"type": "String",
"network_name": "String"
}]
}],
"hostnames": ["String"],
"properties": [{"id": 42,
"name": "String",
"value": "String",
"last_reported": 42,
"type_id": 42,
"last_reported_by": "String"
}],
"operating_systems": [{"last_seen_date": 42,
"name": "String"
}]
}]

GET /qvm/saved_searches/vuln_instances/{task_id}/results/
vuln_instances
Lists the Vulnerability Instances returned from a vulnerability instance saved
search.

Lists the Vulnerability Instances returned from a saved search.

Table 1842. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances
resource details
MIME Type
application/json

Table 1843. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances

request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 929

 Table 1843. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances
request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1844. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances

response codes
HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by instance
completed successfully.
404 1002 Resource not found
500 1020 An error occurred while retrieving results

Response Description

A list of vulnerability instance data.

Response Sample
[{"id": 42,
"cvss_environmental_score_string": "String",
"last_seen_date": 42,
"asset_id": 42,
"domain_id": 42,
"relevant_patches": [{"security_notice": "String",
"description": "String",
"patch_type": "String <one of: OS, NONOS>"
}],
"cvss_environmental_score": 42.5,
"seen_by_scan_profile": "String",

930 QRadar API Reference Guide

 "risk_score": 42.5,
"vulnerability_id": 42,
"first_seen_date": 42
}]

GET /qvm/saved_searches/vuln_instances/{task_id}/results/
vulnerabilities
List the Vulnerability Instances vulnerabilities returned from the saved search.
Table 1845. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities
resource details
MIME Type
application/json

Table 1846. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities

request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1847. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities

response codes
HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by instance
completed successfully
404 1002 Resource not found
500 1020 Error while retrieving results

Chapter 7. Previous REST API versions 931

 Response Description

list of vulnerability instance data

Response Sample
[{"cvss_base_score_string": "String",
"virtual_patches": [{"device": "String",
"qid": "String",
"signature": "String"
}],
"osvdb_title": "String",
"cvss_temporal_score": 42.5,
"cvss_base_score": 42.5,
"concern": "String",
"cve_ids": ["String"],
"critical_details": "String",
"risk_factor": {"name": "String <one of: High,
Medium,
Low,
Warning>",
"code": 42
},
"cvss_temporal_score_string": "String",
"severity": {"name": "String <one of: Patch,
Urgent,
Critical,
High,
Medium,
Low>",
"code": 42
},
"remediation": "String",
"id": 42, "patches": [{"security_notice": "String",
"description": "String"
}],
"description": "String"
}]

GET /qvm/saved_searches/vuln_instances/{task_id}/status
Retrieves the current status of a vulnerability instance search that was initiated.

Retrieves the current status of a vulnerability instance search that was initiated.
Table 1848. GET /qvm/saved_searches/vuln_instances/{task_id}/status resource details
MIME Type
application/json

Table 1849. GET /qvm/saved_searches/vuln_instances/{task_id}/status request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

932 QRadar API Reference Guide

Table 1849. GET /qvm/saved_searches/vuln_instances/{task_id}/status request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1850. GET /qvm/saved_searches/vuln_instances/{task_id}/status response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the current status of the
vulnerability instance search completed successfully.
404 1002 Resource not found.
500 1020 An error occurred while retrieving status.

Response Description

Returns the status of the selected vulnerability instance search.

Response Sample
{
"id": 42,
"retention_period_in_days": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED, EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /qvm/saved_searches/vuln_instances/{task_id}/status
Updates the status of a vulnerability instance saved search.

Updates the status of a vulnerability instance saved search.

Table 1851. POST /qvm/saved_searches/vuln_instances/{task_id}/status resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 933

 Table 1852. POST /qvm/saved_searches/vuln_instances/{task_id}/status request parameter
details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain Required. The ID of the
(Integer) task to update.
status query Optional String text/plain Optional. The only
accepted value is
CANCELLED. If this value
is provided, the search is
cancelled.
retention_period_in_days query Optional Number text/plain Optional. Set the data
(Integer) retention period in days
for the results. Accepted
values 0 - 14. Use 0 to
delete a result at the next
clean up cycle. Default
data retention period is 2
days.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 1853. POST /qvm/saved_searches/vuln_instances/{task_id}/status response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the list of vulnerability
instance saved searches completed successfully.
403 1009 You do not have the proper capabilities to retrieve
the Vulnerability Instance Saved Search.
404 1002 Resource not found.
409 1004 The current status of the search prevented the task
from being cancelled.
422 1005 A request parameter is not valid.
500 1020 An error occurred while retrieving status.

Response Description

Returns the status of the selected Vulnerability Instance search.

Response Sample
{
"id": 42,
"retention_period_in_days": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

934 QRadar API Reference Guide

 PROCESSING,
QUEUED,
RESUMING>"
}

GET /qvm/saved_searches/{saved_search_id}
Retrieves a vulnerability instance saved search.

Retrieves a vulnerability instance saved search.

Table 1854. GET /qvm/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 1855. GET /qvm/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 1856. GET /qvm/saved_searches/{saved_search_id} response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the list of vulnerability
instance saved searches completed successfully
404 1002 The Saved Search does not exist
500 1020 An error occurred while trying to retrieve the
vulnerability instance saved search

Response Description

A vulnerability instance saved search that can be used or applied against:

v /qvm/saved_searches/{saved_search_id}/vuln_instances
v /qvm/assets
v /qvm/vulns
v /qvm/openservices
v /qvm/networks

The saved search contains an ID, name, and list of filters that make up this saved
search.

Chapter 7. Previous REST API versions 935

 Response Sample
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}

POST /qvm/saved_searches/{saved_search_id}
Updates the vulnerability saved search owner only.

Updates the vulnerability saved search owner only.

Table 1857. POST /qvm/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Table 1858. POST /qvm/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 1859. POST /qvm/saved_searches/{saved_search_id} request body details

Parameter Data Type MIME Type Description Sample
saved_search Object application/ null { "filters": [ { "operator":
json "String", "parameter":
"String", "value": "String"
} ], "id": 42, "name":
"String", "owner": "String"
}

Table 1860. POST /qvm/saved_searches/{saved_search_id} response codes

HTTP Response
Code Unique Code Description
200 The vulnerability saved search was updated.
403 1009 You do not have the required capabilities to update
the vulnerability saved search.
404 1002 The vulnerability saved search does not exist.
409 1004 The provided user does not have the required
capabilities to own the vulnerability saved search.

936 QRadar API Reference Guide

Table 1860. POST /qvm/saved_searches/{saved_search_id} response codes (continued)
HTTP Response
Code Unique Code Description
422 1005 A request parameter is not valid.
500 1020 null

Response Description

The vulnerability saved search after it was updated. A Vulnerability Saved Search
object contains the following fields:
v id - Long - The ID of the asset saved search.
v name - String - The name of the asset saved search.
v owner - String - The owner of the asset saved search.
v isShared - Boolean - True if the asset saved search is shared with other users.
v description - String - The description of the asset saved search.
v filters - List of Strings - The asset saved search filters.
v columns - List of Strings - The asset saved search columns.

Response Sample
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String",
"owner": "String"
}

DELETE /qvm/saved_searches/{saved_search_id}
Deletes a vulnerability saved search.

Deletes a vulnerability saved search.

Table 1861. DELETE /qvm/saved_searches/{saved_search_id} resource details
MIME Type
text/plain

Table 1862. DELETE /qvm/saved_searches/{saved_search_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)

Table 1863. DELETE /qvm/saved_searches/{saved_search_id} response codes

HTTP Response
Code Unique Code Description
204 The vulnerability saved search was deleted.
403 1009 You do not have the required capabilities to delete
the vulnerability saved search.

Chapter 7. Previous REST API versions 937

 Table 1863. DELETE /qvm/saved_searches/{saved_search_id} response codes (continued)
HTTP Response
Code Unique Code Description
404 1002 The vulnerability saved search does not exist.
500 1020 null

Response Description

Response Sample

GET /qvm/saved_searches/{saved_search_id}/vuln_instances
Creates the Vulnerability Instances search. This search will return a maximum of
100,000 results.

Creates the Vulnerability Instances search. This search will return a maximum of
100,000 results.
Table 1864. GET /qvm/saved_searches/{saved_search_id}/vuln_instances resource details
MIME Type
application/json

Table 1865. GET /qvm/saved_searches/{saved_search_id}/vuln_instances request

parameter details
Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain ID of saved search
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 1866. GET /qvm/saved_searches/{saved_search_id}/vuln_instances response codes

HTTP Response
Code Unique Code Description
201 The vulnerability instance search is queued.
404 1002 null
500 1020 null

Response Description

The responses returns a task ID.

Response Sample
{
"id": 42,
"retention_period_in_days": 42,

938 QRadar API Reference Guide

 "status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

POST /qvm/tickets/assign
Update the remediation ticket for the assigned vulnerability
Table 1867. POST /qvm/tickets/assign resource details
MIME Type
application/json

Table 1868. POST /qvm/tickets/assign request body details

Parameter Data Type MIME Type Description Sample
ticket JSON application/json [ { "ticketId":"1000",
'ticketId': required. "status":"Opened", "priority":"Critical",
"dueDate":"2015-01-04 12:00:00",
"assignedUser":"admin",
'priority' one of required :
"comment":"testComment",
Critical, Major, Minor,
"commentUser":"admin" } ]
Warning, Informational.

'status' one of required :

Opened, Fixed, Re-Opened,
Closed .

'dueDate' Optional :
yyyy-MM-dd HH:mm:ss.

'assignedUser' required : valid

QRadar user account name or
a valid email.

'comment' Optional : text.

'commentUser' Optional :
valid QRadar user account
name, if not included will
default current API user.

Table 1869. POST /qvm/tickets/assign response codes

HTTP Response
Code Unique Code Description
200 The request to assign a ticket completed successfully
420 9104 An error occurred while trying to assign a ticket due
to invalid arguments

Response Description

success message if update succeed

Response Sample

GET /qvm/vulns
List the Vulnerabilities present in the asset model. The response will contain all
available RESTful resources

Chapter 7. Previous REST API versions 939

 Table 1870. GET /qvm/vulns resource details
MIME Type
application/json

Table 1871. GET /qvm/vulns request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 1872. GET /qvm/vulns response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities completed
successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of vulnerability data

Response Sample

Reference data endpoints

Use the references for REST API V7.0 reference data endpoints.

GET /reference_data/map_delete_tasks/{task_id}
Retrieves the delete reference data map task status.

Retrieves the delete reference data map task status.

Table 1873. GET /reference_data/map_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1874. GET /reference_data/map_delete_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

940 QRadar API Reference Guide

Table 1874. GET /reference_data/map_delete_tasks/{task_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1875. GET /reference_data/map_delete_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/reference_data/maps/map_delete_tasks/{task_id}". A Delete Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,

Chapter 7. Previous REST API versions 941

 CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /reference_data/map_dependent_tasks/{task_id}
Retrieves the dependent reference data map task status.

Retrieves the dependent reference data map task status.

Table 1876. GET /reference_data/map_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1877. GET /reference_data/map_dependent_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1878. GET /reference_data/map_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/reference_data/maps/map_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.

942 QRadar API Reference Guide

v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation the
task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,

Chapter 7. Previous REST API versions 943

 PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /reference_data/map_dependent_tasks/{task_id}
Cancels the dependent reference data map task.

Cancels the dependent reference data map task.

Table 1879. POST /reference_data/map_dependent_tasks/{task_id} resource details
MIME Type
application/json

944 QRadar API Reference Guide

Table 1880. POST /reference_data/map_dependent_tasks/{task_id} request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1881. POST /reference_data/map_dependent_tasks/{task_id} request body details

MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Table 1882. POST /reference_data/map_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The Delete task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state
422 1005 A request parameter is not valid
500 1020 An error occurred during the attempt to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/reference_data/maps/map_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.

Chapter 7. Previous REST API versions 945

 v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested the cancellation the
task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,

946 QRadar API Reference Guide

 PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /reference_data/map_dependent_tasks/{task_id}/results
Retrieves the reference data map dependent task results.

Retrieves the reference data map dependent task results.

Table 1883. GET /reference_data/map_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 947

 Table 1884. GET /reference_data/map_dependent_tasks/{task_id}/results request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1885. GET /reference_data/map_dependent_tasks/{task_id}/results response codes

HTTP Response
Code Unique Code Description
200 The reference data map dependents were retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
reference data maps.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource. ( Default
resources can have localized names )
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - The true if the user who created the task
has permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,

948 QRadar API Reference Guide

 ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /reference_data/map_of_sets
Retrieve a list of all reference map of sets.
Table 1886. GET /reference_data/map_of_sets resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 949

 Table 1887. GET /reference_data/map_of_sets request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1888. GET /reference_data/map_of_sets response codes

HTTP Response
Code Unique Code Description
200 The reference map of sets list has been retrieved
500 1020 An error occurred while attempting to retrieve all of
the reference map of sets

Response Description

A list of all of the reference map of sets. This returns information about the map of
sets but not the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}
]

950 QRadar API Reference Guide

POST /reference_data/map_of_sets
Create a new reference map of sets.
Table 1889. POST /reference_data/map_of_sets resource details
MIME Type
application/json

Table 1890. POST /reference_data/map_of_sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference map of sets
to create
element_type query Required String text/plain Required - The element
type for the values
allowed in the reference
map of sets. The allowed
values are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented
in milliseconds since the
Unix Epoch January 1st
1970.
key_label query Optional String text/plain Optional - The label to
describe the keys
value_label query Optional String text/plain Optional - The label to
describe the data values
timeout_type query Optional String text/plain Optional - The allowed
values are
"FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last
seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for
example: "1 month" or "5
minutes"
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Chapter 7. Previous REST API versions 951

 Table 1891. POST /reference_data/map_of_sets response codes
HTTP Response
Code Unique Code Description
201 A new reference map of sets was successfully
created
409 1004 The reference map of sets could not be created, the
name provided is already in use. Please change the
name and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference map of sets

Response Description

Information about the newly created reference map of sets.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/map_of_sets/bulk_load/{name}
Adds or updates data in a reference map of sets.

Adds or updates data in a reference map of sets.

Table 1892. POST /reference_data/map_of_sets/bulk_load/{name} resource details
MIME Type
application/json

Table 1893. POST /reference_data/map_of_sets/bulk_load/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the map of sets to add
or update data in.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

952 QRadar API Reference Guide

Table 1894. POST /reference_data/map_of_sets/bulk_load/{name} request body details
MIME
Parameter Data Type Type Description Sample
data Array application/Required - The {"key1":["Data11","Data12"],
json JSON-formatted data "key2":["Data21","Data22"],
to add or update in "key3":["Data31","Data32"],
the reference map of "key4":["Data41","Data42"],
sets. "key5":["Data51","Data52"],
"key6":["Data61","Data62"]}

Table 1895. POST /reference_data/map_of_sets/bulk_load/{name} response codes

HTTP Response
Code Unique Code Description
200 Data was successfully added or updated in the
reference map of sets.
400 1001 An error occurred parsing the JSON-formatted
message body.
404 1002 The reference map of sets does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to add or
update data in the reference map of sets.

Response Description

Information about the reference map of sets where data was added or updated.
This returns information about the reference map of sets but not the data that it
contains.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/map_of_sets/{name}
Return the reference map of sets identified by name.

Return the reference map of sets identified by name. If provided, limit specifies
the number of records to return starting at the record that is specified by offset. If
the number is not specified, then the first 20 records is returned.
Table 1896. GET /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 953

 Table 1897. GET /reference_data/map_of_sets/{name} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to retrieve
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 1898. GET /reference_data/map_of_sets/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference map of sets has been retrieved
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the
reference map of sets

Response Description

The reference map of sets identified by the name specified in the request. The
portion of the reference map of sets' data returned is dependent on the limit and
offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": [
{
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
]
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",

954 QRadar API Reference Guide

 "name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/map_of_sets/{name}
Add or update an element in a reference map of sets.
Table 1899. POST /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 1900. POST /reference_data/map_of_sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to add or update
an element in
key query Required String text/plain Required - The key of
the set to add or
update
value query Required String text/plain Required - The value to
add or update in the
reference map of sets.
Note: Date values must
be represented in
milliseconds since the
Unix Epoch January 1st
1970.
source query Optional String text/plain Optional - This
indicates where the
data originated. The
default value is
'reference data api'
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1901. POST /reference_data/map_of_sets/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference map of sets has had an element added
or updated
404 1002 The reference map of sets does not exist

Chapter 7. Previous REST API versions 955

 Table 1901. POST /reference_data/map_of_sets/{name} response codes (continued)
HTTP Response
Code Unique Code Description
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference map of sets

Response Description

Information about the reference map of sets that has had an element added or
updated. This returns information about the reference map of sets but not the
contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

DELETE /reference_data/map_of_sets/{name}
Remove a map of sets or purge its contents.
Table 1902. DELETE /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 1903. DELETE /reference_data/map_of_sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to remove or purge
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference map of sets
should have its
contents purged (true),
keeping the reference
map of sets structure. If
the value is "false" or
not specified the
reference map of sets
will be removed
completely.

956 QRadar API Reference Guide

Table 1903. DELETE /reference_data/map_of_sets/{name} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1904. DELETE /reference_data/map_of_sets/{name} response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Map of Sets deletion or purge
request has been accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference map of sets

Response Description

A status_id to retrieve the Reference Data Map of Sets deletion or purge status
with at /api/system/task_management/task/{status_id}. You can also find the url
in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,

Chapter 7. Previous REST API versions 957

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/map_of_sets/{name}/dependents
Retrieves the dependents of the Map of Sets.

Initiates the retrieval of dependents of the Map of Sets

Table 1905. GET /reference_data/map_of_sets/{name}/dependents resource details
MIME Type
application/json

Table 1906. GET /reference_data/map_of_sets/{name}/dependents request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets retrieve dependents
for
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

958 QRadar API Reference Guide

Table 1907. GET /reference_data/map_of_sets/{name}/dependents response codes
HTTP Response
Code Unique Code Description
202 The Reference Data Map of Sets dependent retrieval
request has been accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the
dependents for the reference map of sets

Response Description

A status_id to retrieve the Reference Data Map of Sets dependent retrieval status
with at /api/system/task_management/task/{status_id}. You can also find the url
in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,

Chapter 7. Previous REST API versions 959

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/map_of_sets/{name}/{key}
Remove a value from a reference map of sets.

Remove a value from a reference map of sets.

Table 1908. DELETE /reference_data/map_of_sets/{name}/{key} resource details
MIME Type
application/json

Table 1909. DELETE /reference_data/map_of_sets/{name}/{key} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to remove a value
from
key path Required String text/plain Required - The key of
the value to remove
value query Required String text/plain Required - The value to
remove from the
reference map of sets.
Note: Date values must
be represented in
milliseconds since the
Unix Epoch January 1st
1970.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1910. DELETE /reference_data/map_of_sets/{name}/{key} response codes

HTTP Response
Code Unique Code Description
200 The reference map of sets has had a value removed
404 1002 The reference map of sets does not exist

960 QRadar API Reference Guide

Table 1910. DELETE /reference_data/map_of_sets/{name}/{key} response
codes (continued)
HTTP Response
Code Unique Code Description
404 1003 The record does not exist in the reference map of
sets
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the
reference map of sets value

Response Description

Information about the reference map of sets that had a value removed. This returns
information about the reference map of sets but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

GET /reference_data/map_of_sets_delete_tasks/{task_id}
Retrieves the delete reference data map of sets task status.

Retrieves the delete reference data map of sets task status.

Table 1911. GET /reference_data/map_of_sets_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1912. GET /reference_data/map_of_sets_delete_tasks/{task_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 961

 Table 1913. GET /reference_data/map_of_sets_delete_tasks/{task_id} response codes
HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/reference_data/map_of_sets/map_of_sets_delete_tasks/{task_id}". A Delete
Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /reference_data/map_of_sets_dependent_tasks/{task_id}
Retrieves the dependent reference data map of sets task status.

Retrieves the dependent reference data map of sets task status.

962 QRadar API Reference Guide

Table 1914. GET /reference_data/map_of_sets_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1915. GET /reference_data/map_of_sets_dependent_tasks/{task_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1916. GET /reference_data/map_of_sets_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL
"/api/reference_data/map_of_sets/map_of_sets_dependent_tasks/{task_id}". A
Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.

Chapter 7. Previous REST API versions 963

 v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,

964 QRadar API Reference Guide

 INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /reference_data/map_of_sets_dependent_tasks/{task_id}
Cancels the dependent reference data map of sets task.

Cancels the dependent reference data map of sets task.

Table 1917. POST /reference_data/map_of_sets_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1918. POST /reference_data/map_of_sets_dependent_tasks/{task_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 965

 Table 1919. POST /reference_data/map_of_sets_dependent_tasks/{task_id} request body
details
MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Table 1920. POST /reference_data/map_of_sets_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/reference_data/map_of_sets/map_of_sets_dependent_tasks/{task_id}". A
Dependent Task Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.

966 QRadar API Reference Guide

v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,

Chapter 7. Previous REST API versions 967

 PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /reference_data/map_of_sets_dependent_tasks/{task_id}/
results
Retrieves the reference data map of sets dependent task results.

Retrieves the reference data map of sets dependent task results.

Table 1921. GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results resource
details
MIME Type
application/json

Table 1922. GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

968 QRadar API Reference Guide

Table 1923. GET /reference_data/map_of_sets_dependent_tasks/{task_id}/results response
codes
HTTP Response
Code Unique Code Description
200 The reference data map of sets dependents have
been retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
reference data map of sets.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource.
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has
permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,

Chapter 7. Previous REST API versions 969

 CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /reference_data/maps
Retrieve a list of all reference maps.
Table 1924. GET /reference_data/maps resource details
MIME Type
application/json

Table 1925. GET /reference_data/maps request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

970 QRadar API Reference Guide

Table 1926. GET /reference_data/maps response codes
HTTP Response
Code Unique Code Description
200 The reference map list has been retrieved
500 1020 An error occurred while attempting to retrieve all of
the reference maps

Response Description

A list of all of the reference maps. This returns information about the maps but not
the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}
]

POST /reference_data/maps
Create a new reference map.
Table 1927. POST /reference_data/maps resource details
MIME Type
application/json

Table 1928. POST /reference_data/maps request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference map to
create
key_label query Optional String text/plain Optional - The label to
describe the keys
value_label query Optional String text/plain Optional - The label to
describe the data values

Chapter 7. Previous REST API versions 971

 Table 1928. POST /reference_data/maps request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
element_type query Required String text/plain Required - The element
type for the values
allowed in the reference
map. The allowed values
are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented
in milliseconds since the
Unix Epoch January 1st
1970.
timeout_type query Optional String text/plain Optional - The allowed
values are
"FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last
seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for
example: "1 month" or "5
minutes"
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 1929. POST /reference_data/maps response codes

HTTP Response
Code Unique Code Description
201 A new reference map was successfully created
409 1004 The reference map could not be created, the name
provided is already in use. Please change the name
and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference map

Response Description

Information about the newly created reference map.

972 QRadar API Reference Guide

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/maps/bulk_load/{name}
Adds or updates data in a reference map.

Adds or updates data in a reference map.

Table 1930. POST /reference_data/maps/bulk_load/{name} resource details
MIME Type
application/json

Table 1931. POST /reference_data/maps/bulk_load/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
map to add or update
data in.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1932. POST /reference_data/maps/bulk_load/{name} request body details

MIME
Parameter Data Type Type Description Sample
data Array application/ Required - The {"key1":"Data1",
json JSON-formatted data to "key2":"Data2",
add or update in the "key3":"Data3",
reference map. "key4":"Data4",
"key5":"Data5",
"key6":"Data6"}

Table 1933. POST /reference_data/maps/bulk_load/{name} response codes

HTTP Response
Code Unique Code Description
200 Data was successfully added or updated in the
reference map.

Chapter 7. Previous REST API versions 973

 Table 1933. POST /reference_data/maps/bulk_load/{name} response codes (continued)
HTTP Response
Code Unique Code Description
400 1001 An error occurred parsing the JSON-formatted
message body.
404 1002 The reference map does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to add or
update data in the reference map.

Response Description

Information about the reference map where data was added or updated. This
returns information about the reference map but not the data that it contains.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/maps/{name}
Retrieve the reference map identified by name.

Retrieve the reference map identified by name. If it is provided, limit specifies the
number of records to return starting at record that is specified by offset. If the
number is not specified, then the first 20 records are returned.
Table 1934. GET /reference_data/maps/{name} resource details
MIME Type
application/json

Table 1935. GET /reference_data/maps/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
retrieve
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

974 QRadar API Reference Guide

Table 1935. GET /reference_data/maps/{name} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1936. GET /reference_data/maps/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference map has been retrieved
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the
reference map

Response Description

The reference map identified by the name specified in the request. The portion of
the reference map's data returned is dependent on the limit and offset specified in
the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": {
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

Chapter 7. Previous REST API versions 975

 POST /reference_data/maps/{name}
Add or update an element in a reference map.
Table 1937. POST /reference_data/maps/{name} resource details
MIME Type
application/json

Table 1938. POST /reference_data/maps/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
add or update an
element in
key query Required String text/plain Required - The key
who's value we want to
add or update
value query Required String text/plain Required - The value to
add or update in the
reference map. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
source query Optional String text/plain Optional - An
indication of where the
data originated. The
default value is
'reference data api'
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1939. POST /reference_data/maps/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference map has had an element added or
updated
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference map

976 QRadar API Reference Guide

Response Description

Information about the reference map that had an element added or updated. This
returns information about reference map but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

DELETE /reference_data/maps/{name}
Remove a reference map or purge its contents.
Table 1940. DELETE /reference_data/maps/{name} resource details
MIME Type
application/json

Table 1941. DELETE /reference_data/maps/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
remove or purge
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference map should
have its contents
purged (true), keeping
the reference map
structure. If the value is
"false" or not specified
the reference map will
be removed completely.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 977

 Table 1942. DELETE /reference_data/maps/{name} response codes
HTTP Response
Code Unique Code Description
202 The Reference Data Maps deletion or purge request
has been accepted and is in progress
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference map

Response Description

A status_id to retrieve the Reference Data Maps deletion or purge status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,

978 QRadar API Reference Guide

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/maps/{name}/dependents
Retrieves the dependents of the Map.
Table 1943. GET /reference_data/maps/{name}/dependents resource details
MIME Type
application/json

Table 1944. GET /reference_data/maps/{name}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map
retrieve dependents for
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1945. GET /reference_data/maps/{name}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Maps dependent retrieval
request has been accepted and is in progress
404 1002 The reference Map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the
dependents for the reference map

Response Description

A status_id to retrieve the Reference Data Maps dependent retrieval status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Chapter 7. Previous REST API versions 979

 Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/maps/{name}/{key}
Remove a value from a reference map.

Remove a value from a reference map.

980 QRadar API Reference Guide

Table 1946. DELETE /reference_data/maps/{name}/{key} resource details
MIME Type
application/json

Table 1947. DELETE /reference_data/maps/{name}/{key} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
remove a value from
key path Required String text/plain Required - The key of
the value to remove
value query Required String text/plain Required - The value to
remove from the
reference map. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1948. DELETE /reference_data/maps/{name}/{key} response codes

HTTP Response
Code Unique Code Description
200 The reference map has had a value removed
404 1002 The reference map does not exist
404 1003 The record does not exist in the reference map
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the
value from the reference map

Response Description

Information about the reference map that had an element removed. This returns
information about map but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",

Chapter 7. Previous REST API versions 981

 "name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

GET /reference_data/set_delete_tasks/{task_id}
Retrieves the delete reference data set task status.

Retrieves the delete reference data set task status.

Table 1949. GET /reference_data/set_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 1950. GET /reference_data/set_delete_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1951. GET /reference_data/set_delete_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/reference_data/sets/set_delete_tasks/{task_id}". A Delete Task Status object
contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.

982 QRadar API Reference Guide

v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of:
CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /reference_data/set_dependent_tasks/{task_id}
Retrieves the dependent reference data set task status.

Retrieves the dependent reference data set task status.

Table 1952. GET /reference_data/set_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1953. GET /reference_data/set_dependent_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 983

 Table 1954. GET /reference_data/set_dependent_tasks/{task_id} response codes
HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status URL
"/api/reference_data/sets/set_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the
task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

984 QRadar API Reference Guide

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,

Chapter 7. Previous REST API versions 985

 FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /reference_data/set_dependent_tasks/{task_id}
Cancels the dependent reference data set task.

Cancels the dependent reference data set task.

Table 1955. POST /reference_data/set_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 1956. POST /reference_data/set_dependent_tasks/{task_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1957. POST /reference_data/set_dependent_tasks/{task_id} request body details

MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Table 1958. POST /reference_data/set_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.

986 QRadar API Reference Guide

Table 1958. POST /reference_data/set_dependent_tasks/{task_id} response
codes (continued)
HTTP Response
Code Unique Code Description
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/reference_data/sets/set_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested cancellation of the
task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects that were checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Chapter 7. Previous REST API versions 987

 Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,

988 QRadar API Reference Guide

 FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /reference_data/set_dependent_tasks/{task_id}/results
Retrieves the reference data set dependent task results.

Retrieves the reference data set dependent task results.

Table 1959. GET /reference_data/set_dependent_tasks/{task_id}/results resource details
MIME Type
application/json

Table 1960. GET /reference_data/set_dependent_tasks/{task_id}/results request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1961. GET /reference_data/set_dependent_tasks/{task_id}/results response codes

HTTP Response
Code Unique Code Description
200 The reference data set dependents were retrieved.
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
reference data sets.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource.
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.

Chapter 7. Previous REST API versions 989

 v user_has_edit_permissions - Boolean - True if the user who created the task has
permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,
VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

990 QRadar API Reference Guide

GET /reference_data/sets
Retrieve a list of all reference sets.
Table 1962. GET /reference_data/sets resource details
MIME Type
application/json

Table 1963. GET /reference_data/sets request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1964. GET /reference_data/sets response codes

HTTP Response
Code Unique Code Description
200 The reference set list has been retrieved
500 1020 An error occurred while attempting to retrieve all of
the reference sets

Response Description

A list of all of the reference sets. This returns information about the sets but not the
contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,

Chapter 7. Previous REST API versions 991

 "time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}
]

POST /reference_data/sets
Create a new reference set.
Table 1965. POST /reference_data/sets resource details
MIME Type
application/json

Table 1966. POST /reference_data/sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference set being
created
element_type query Required String text/plain Required - The element
type for the values
allowed in the reference
set. The allowed values
are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented
in milliseconds since the
Unix Epoch January 1st
1970.
timeout_type query Optional String text/plain Optional - The allowed
values are
"FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last
seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for
example: "1 month" or "5
minutes"
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

992 QRadar API Reference Guide

Table 1967. POST /reference_data/sets response codes
HTTP Response
Code Unique Code Description
201 A new reference set was successfully created
409 1004 The reference set could not be created, the name
provided is already in use. Please change the name
and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference set

Response Description

Information about the newly created reference set.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/sets/bulk_load/{name}
Add or update data in a reference set.
Table 1968. POST /reference_data/sets/bulk_load/{name} resource details
MIME Type
application/json

Table 1969. POST /reference_data/sets/bulk_load/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
set to add or update
data in
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 993

 Table 1970. POST /reference_data/sets/bulk_load/{name} request body details
Parameter Data Type MIME Type Description Sample
data Array application/json Required - The JSON ["String", "String",
formated data to add or "String", "String",
update in the reference "String", "String",
set "String", "String",
"String", "String",
"String"]

Table 1971. POST /reference_data/sets/bulk_load/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference set has had data added or updated
400 1001 An error occurred parsing the JSON formatted
message body
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference set

Response Description

Information about the reference set that had data added or updated. This returns
information about the reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/sets/{name}
Retrieve the reference set identified by name.

Retrieve the reference set that is identified by name. If it is provided, limit

specifies the number of records to return starting at the record that is specified by
offset. If the number is not specified, then the first 20 records are returned.
Table 1972. GET /reference_data/sets/{name} resource details
MIME Type
application/json

Table 1973. GET /reference_data/sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference set to
retrieve

994 QRadar API Reference Guide

Table 1973. GET /reference_data/sets/{name} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1974. GET /reference_data/sets/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference set has been retrieved
404 1002 The reference set does not exist.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the
reference set

Response Description

The reference set identified by the name specified in the request. The portion of the
set's data returned is dependent on the limit and offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": [
{
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
],
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",

Chapter 7. Previous REST API versions 995

 "number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/sets/{name}
Add or update an element in a reference set.
Table 1975. POST /reference_data/sets/{name} resource details
MIME Type
application/json

Table 1976. POST /reference_data/sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference set to add
or update an element in
value query Required String text/plain Required - The value to
add or update in the
reference set. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
source query Optional String text/plain Optional - An
indication of where the
data originated. The
default value is
'reference data api'
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1977. POST /reference_data/sets/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference set has had an element added or
updated
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update an element in the reference set

996 QRadar API Reference Guide

Response Description

Information about the reference set that had an element added or updated. This
returns information about the reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

DELETE /reference_data/sets/{name}
Remove a reference set or purge its contents.
Table 1978. DELETE /reference_data/sets/{name} resource details
MIME Type
application/json

Table 1979. DELETE /reference_data/sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the set to remove or
purge
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference set should
have its contents
purged (true), keeping
the reference set
structure. If the value is
"false" or not specified
the reference set will be
removed completely.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 997

 Table 1980. DELETE /reference_data/sets/{name} response codes
HTTP Response
Code Unique Code Description
202 The Reference Data Sets deletion or purge request
has been accepted and is in progress
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference set

Response Description

A status_id to retrieve the Reference Data Sets deletion or purge status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,

998 QRadar API Reference Guide

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/sets/{name}/{value}
Remove a value from a reference set.

Remove a value from a reference set.

Table 1981. DELETE /reference_data/sets/{name}/{value} resource details
MIME Type
application/json

Table 1982. DELETE /reference_data/sets/{name}/{value} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference set to
remove a value from
value path Required String text/plain Required - The value to
remove from the
reference set. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1983. DELETE /reference_data/sets/{name}/{value} response codes

HTTP Response
Code Unique Code Description
200 The reference set that had a value removed
404 1002 The reference set does not exist
404 1003 The record does not exist in the reference set
422 1005 A request parameter is not valid

Chapter 7. Previous REST API versions 999

 Table 1983. DELETE /reference_data/sets/{name}/{value} response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred while attempting to remove the
value from the reference set.

Response Description

Information about the reference set that had an value removed. This returns
information about the reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/sets/{name}/dependents
Retrieves the dependents of the set.
Table 1984. GET /reference_data/sets/{name}/dependents resource details
MIME Type
application/json

Table 1985. GET /reference_data/sets/{name}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the Reference Set
retrieve dependents for
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1986. GET /reference_data/sets/{name}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Sets dependent retrieval request
has been accepted and is in progress
404 1002 The Reference Set does not exist
422 1005 A request parameter is not valid

1000 QRadar API Reference Guide

Table 1986. GET /reference_data/sets/{name}/dependents response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred while attempting to get the
dependents for the Reference Set

Response Description

A status_id to retrieve the Reference Data Sets dependent retrieval status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"

Chapter 7. Previous REST API versions 1001

 }
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/tables
Retrieve a list of all reference tables.
Table 1987. GET /reference_data/tables resource details
MIME Type
application/json

Table 1988. GET /reference_data/tables request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 1989. GET /reference_data/tables response codes

HTTP Response
Code Unique Code Description
200 The reference table list has been retrieved
500 1020 An error occurred while attempting to retrieve all of
the reference tables

Response Description

A list of all of the reference tables. This returns information about the tables but
not the contained data.

1002 QRadar API Reference Guide

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}
]

POST /reference_data/tables
Create a new reference table.
Table 1990. POST /reference_data/tables resource details
MIME Type
application/json

Table 1991. POST /reference_data/tables request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference table to
create
element_type query Required String text/plain Required - The default
element type for the
values allowed in the
reference table. This is
used when values are
added or updated in the
reference table who's
inner key was not defined
in the key_name_types
parameter. The allowed
values are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented in
milliseconds since the
Unix Epoch January 1st
1970.
outer_key_label query Optional String text/plain Optional - The label to
describe the outer keys
timeout_type query Optional String text/plain Optional - The allowed
values are "FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for example:
"1 month" or "5 minutes"
key_name_types query Optional Array<Object> application/json Optional - A JSON
formatted string. This
array creates the inner key
names and corresponding
value types for the table

Chapter 7. Previous REST API versions 1003

 Table 1991. POST /reference_data/tables request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 1992. POST /reference_data/tables response codes

HTTP Response
Code Unique Code Description
201 A new reference table was successfully created
409 1004 The reference table could not be created, the name
provided is already in use. Please change the name
and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference table

Response Description

Information about the newly created reference table.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/tables/bulk_load/{name}
Adds or updates data in a reference table.

Adds or updates data in a reference table.

Table 1993. POST /reference_data/tables/bulk_load/{name} resource details
MIME Type
application/json

Table 1994. POST /reference_data/tables/bulk_load/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
table to add or update
data in.

1004 QRadar API Reference Guide

Table 1994. POST /reference_data/tables/bulk_load/{name} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 1995. POST /reference_data/tables/bulk_load/{name} request body details

MIME
Parameter Data Type Type Description Sample
data Array application/ Required - The {"key1":{"col1":"Data11","col2":"Data12",
json JSON-formatted data to "col3":"Data13","col4":"Data14"},
add or update in the "key2":{"col1":"Data21","col2":"Data22",
reference table. "col3":"Data23","col4":"Data24"},
"key3":{"col1":"Data31","col2":"Data32",
"col3":"Data33","col4":"Data34"},
"key4":{"col1":"Data41","col2":"Data42",
"col3":"Data43","col4":"Data44"},
"key5":{"col1":"Data51","col2":"Data52",
"col3":"Data53","col4":"Data54"},
"key6":{"col1":"Data61","col2":"Data62",
"col3":"Data63","col4":"Data64"}}

Table 1996. POST /reference_data/tables/bulk_load/{name} response codes

HTTP Response
Code Unique Code Description
200 Data was successfully added or updated in the
reference table.
400 1001 An error occurred parsing the JSON-formatted
message body.
404 1002 The reference table does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to add or
update data in the reference table.

Response Description

Information about the reference table where data was added or updated. This
returns information about the reference table but not the data that it contains.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",

Chapter 7. Previous REST API versions 1005

 "number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/tables/{name}
Return the reference table identified by name.

Return the reference table that is identified by name. If it is provided, limit

specifies the number of records to return starting at the record that is specified by
offset. If the number is not specified, then the first 20 records are returned.
Table 1997. GET /reference_data/tables/{name} resource details
MIME Type
application/json

Table 1998. GET /reference_data/tables/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
retrieve
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 1999. GET /reference_data/tables/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference table has been retrieved
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the
reference table

1006 QRadar API Reference Guide

Response Description

The reference table identified by the name specified in the request. The portion of
the reference table's data returned is dependent on the limit and offset specified in
the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": {
"String": {
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
}
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/tables/{name}
Add or update an element in a reference table.

Add or update an element in a reference table. The value to be added must be of

the appropriate type. Either the type that corresponds to the innerKey that is
predefined for the reference table, or the default elementType of the reference table
Table 2000. POST /reference_data/tables/{name} resource details
MIME Type
application/json

Table 2001. POST /reference_data/tables/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
add or update an
element in
outer_key query Required String text/plain Required - The outer
key for the element to
add or update
inner_key query Required String text/plain Required - The inner
key for the element to
add or update

Chapter 7. Previous REST API versions 1007

 Table 2001. POST /reference_data/tables/{name} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
value query Required String text/plain Required - The value to
add or update in the
reference table. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
source query Optional String text/plain Optional - An
indication of where the
data originated. The
default value is
'reference data api'
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2002. POST /reference_data/tables/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference table has had an element added or
updated
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference table

Response Description

Information about the reference table that had an element added or updated. This
returns information about the reference table but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",

1008 QRadar API Reference Guide

 "number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

DELETE /reference_data/tables/{name}
Removes a reference table or purge its contents.
Table 2003. DELETE /reference_data/tables/{name} resource details
MIME Type
application/json

Table 2004. DELETE /reference_data/tables/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
remove or purge
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference table should
have its contents
purged (true), keeping
the reference table
structure. If the value is
"false" or not specified
the reference table will
be removed completely.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2005. DELETE /reference_data/tables/{name} response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Tables deletion or purge request
has been accepted and is in progress
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference table

Chapter 7. Previous REST API versions 1009

 Response Description

A status_id to retrieve the Reference Data Tables deletion or purge status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

1010 QRadar API Reference Guide

GET /reference_data/tables/{name}/dependents
Retrieves the dependents of the table.
Table 2006. GET /reference_data/tables/{name}/dependents resource details
MIME Type
application/json

Table 2007. GET /reference_data/tables/{name}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets retrieve dependents
for
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2008. GET /reference_data/tables/{name}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Tables dependent retrieval
request has been accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the
dependents for the reference map of sets

Response Description

A status_id to retrieve the Reference Data Tables dependent retrieval status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,

Chapter 7. Previous REST API versions 1011

 "maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/tables/{name}/{outer_key}/{inner_key}
Removes a value from a reference table.

Remove a value from a reference table.

Table 2009. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} resource details
MIME Type
application/json

Table 2010. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
remove a value from

1012 QRadar API Reference Guide

Table 2010. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} request
parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
outer_key path Required String text/plain Required - The outer
key of the value to
remove
inner_key path Required String text/plain Required - The inner
key of the value to
remove
value query Required String text/plain Required - The value to
remove from the
reference table. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2011. DELETE /reference_data/tables/{name}/{outer_key}/{inner_key} response codes

HTTP Response
Code Unique Code Description
200 The reference table had had a value removed
404 1002 The reference table does not exist
404 1003 The record does not exist in the reference table
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the
reference table value

Response Description

Information about the reference table that had an element removed. This returns
information about table but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",

Chapter 7. Previous REST API versions 1013

 "number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

Scanner endpoints
Use the references for REST API V7.0 scanner endpoints.

GET /scanner/profiles
Retrieves all of the currently created scan profiles.

No parameters are required and the following information should be retrieved for
each scan profile.
v scanProfileId
v scanProfileName
v description
v scanType
v scannerName
Table 2012. GET /scanner/profiles resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 2013. GET /scanner/profiles response codes
HTTP Response
Code Unique Code Description
200 The list of scan profiles was successfully returned
500 1030 Occurs when an attempt is made to list scan profiles
when certain conditions are not met, or when too
many scan requests have been made

Response Description

The list of scan profiles currently configured in QVM

Response Sample

POST /scanner/profiles/create
Initiates a request to create a new Scan Profile.

The request takes one parameter - createScanRequest, which is just a POJO. To

create the scan, you will need to build up a JSON object that contains the Scan
Profile name and IP addresses to scan. For example:
{name:New Scan Profile, ips:[10.100.85.135]}

Table 2014. POST /scanner/profiles/create resource details

MIME Type
text/plain

1014 QRadar API Reference Guide

Table 2015. POST /scanner/profiles/create request body details
Parameter Data Type MIME Type Description Sample
scanProfile JSON application/json null null

Table 2016. POST /scanner/profiles/create response codes

HTTP Response
Code Unique Code Description
200 The scan has been successfully created
419 9101 Occurs when a parameter is missing or invalid
500 1030 Occurs when an attempt is made to create a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been created successfully or not.

Response Sample
String

POST /scanner/profiles/start
Initiates a request to start an already created scanProfile.

The request takes one parameter - scanProfileId. To get a list of scanProfileIds, get
a list of the current scan profiles by initiating a 'profiles' request on the scanner
endpoint. The scanProfileId is validated and an appropriate message is returned.
Table 2017. POST /scanner/profiles/start resource details
MIME Type
text/plain

Table 2018. POST /scanner/profiles/start request parameter details

Parameter Type Optionality Data Type MIME Type Description
scanProfileId query Required String text/plain The unique id of the
scan profile we want to
start

Table 2019. POST /scanner/profiles/start response codes

HTTP Response
Code Unique Code Description
200 The scan has been successfully started
403 1000 Occurs if the user does not have permission to start
a scan, or the scan is in progress
500 1030 Occurs when an attempt is made to start a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been started successfully or not.

Chapter 7. Previous REST API versions 1015

 Response Sample
String

GET /scanner/scanprofiles
Retrieves all of the currently created scan profiles.

No parameters are required and the following information should be retrieved for
each scan profile.
v scanProfileId
v scanProfileName
v description
v scanType
v scannerName
v schedule
v status
v progress
v endTime
v duration
Table 2020. GET /scanner/scanprofiles resource details
MIME Type
application/json

Table 2021. GET /scanner/scanprofiles request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

1016 QRadar API Reference Guide

Table 2022. GET /scanner/scanprofiles response codes
HTTP Response
Code Unique Code Description
200 The list of scan profiles was successfully returned
500 1030 Occurs when an attempt is made to list scan profiles
when certain conditions are not met, or when too
many scan requests have been made

Response Description

The list of scan profiles currently configured in QVM

Response Sample
[
{
"description": "String",
"duration": {
"days": 42,
"hours": 42,
"minutes": 42,
"months": 42,
"seconds": 42.5,
"type": "String",
"value": "String",
"years": 42
},
"endTime": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezoneOffset": 42,
"year": 42
},
"progress": 42,
"scanProfileId": 42,
"scanProfileName": "String",
"scanType": "String",
"scannerName": "String",
"schedule": "String",
"status": "String"
}
]

POST /scanner/scanprofiles
Initiates a request to create a new scanProfile.

The request takes one parameter - createScanRequest, which is just a POJO. To

create the scan, you will need to build up a JSON object that contains the Scan
Profile name and hosts to scan. For example:
{name:New Scan Profile, hosts:[10.100.85.135]}

Table 2023. POST /scanner/scanprofiles resource details

MIME Type
text/plain

Chapter 7. Previous REST API versions 1017

 Table 2024. POST /scanner/scanprofiles request body details
Parameter Data Type MIME Type Description Sample
scanProfile Object application/json null { "description": "String",
"hosts": [ "String" ],
"name": "String" }

Table 2025. POST /scanner/scanprofiles response codes

HTTP Response
Code Unique Code Description
200 The scan has been successfully created
500 1030 Occurs when an attempt is made to create a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been created successfully or not.

Response Sample
String

GET /scanner/scanprofiles/{profileid}
Retrieves a scan profile for a given Scan Profile ID.

No parameters are required and the following information should be retrieved for
each scan profile.
v scanProfileId
v name
v description
v scanType
v scannerName
v schedule
v status
v progress
v endTime
v duration
Table 2026. GET /scanner/scanprofiles/{profileid} resource details
MIME Type
application/json

Table 2027. GET /scanner/scanprofiles/{profileid} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain The unique id of the
scan profile we need to
retrieve information for

1018 QRadar API Reference Guide

Table 2027. GET /scanner/scanprofiles/{profileid} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2028. GET /scanner/scanprofiles/{profileid} response codes

HTTP Response
Code Unique Code Description
200 The scan profile was successfully returned
500 1030 Occurs when an attempt is made to list a scan
profile when certain conditions are not met, or when
too many scan requests have been made

Response Description

The list of scan profiles currently configured in QVM

Response Sample
[
{
"description": "String",
"duration": {
"days": 42,
"hours": 42,
"minutes": 42,
"months": 42,
"seconds": 42.5,
"type": "String",
"value": "String",
"years": 42
},
"endTime": {
"date": 42,
"day": 42,

Chapter 7. Previous REST API versions 1019

 "hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezoneOffset": 42,
"year": 42
},
"progress": 42,
"scanProfileId": 42,
"scanProfileName": "String",
"scanType": "String",
"scannerName": "String",
"schedule": "String",
"status": "String"
}
]

POST /scanner/scanprofiles/{profileid}
Update a scan profile. The Scan Profile ID is required.

The following information on a scan profile can be updated:

v name
v description
v IP addresses

For example:
{name:Updated Scan Profile, ips:[10.100.85.135]}
Table 2029. POST /scanner/scanprofiles/{profileid} resource details
MIME Type
application/json

Table 2030. POST /scanner/scanprofiles/{profileid} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain The unique id of the
scan profile used to
update

Table 2031. POST /scanner/scanprofiles/{profileid} request body details

Parameter Data Type MIME Type Description Sample
scanProfile JSON application/json null null

Table 2032. POST /scanner/scanprofiles/{profileid} response codes

HTTP Response
Code Unique Code Description
202 The scan profile was successfully updated
500 1030 Occurs when an attempt is made to update a scan
profile when certain conditions are not met, or when
too many scan requests have been made

1020 QRadar API Reference Guide

Response Description

A message to indicate whether the scan profile has updated or not.

Response Sample

DELETE /scanner/scanprofiles/{profileid}
Initiates a request to delete a scanProfile.

The request takes one parameter - the Scan Profile ID.

Table 2033. DELETE /scanner/scanprofiles/{profileid} resource details
MIME Type
text/plain

Table 2034. DELETE /scanner/scanprofiles/{profileid} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain null

Table 2035. DELETE /scanner/scanprofiles/{profileid} response codes

HTTP Response
Code Unique Code Description
204 The scan has been successfully deleted
500 1030 Occurs when an attempt is made to delete a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been deleted successfully or not.

Response Sample
String

POST /scanner/scanprofiles/{profileid}/start
Initiates a request to start an already created scanProfile.

The request takes one parameter, scanProfileId, and one optional parameter, ips.
To get a list of scanProfileIds, simply get a list of the current scan profiles by
initiating a 'profiles' request on the scanner endpoint. The scanProfileId, is
validated and an appropriate message returned.
Table 2036. POST /scanner/scanprofiles/{profileid}/start resource details
MIME Type
text/plain

Chapter 7. Previous REST API versions 1021

 Table 2037. POST /scanner/scanprofiles/{profileid}/start request parameter details
MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain The unique id of the
scan profile we want to
start

Table 2038. POST /scanner/scanprofiles/{profileid}/start request body details

Parameter Data Type MIME Type Description Sample
ips JSON application/json null null

Table 2039. POST /scanner/scanprofiles/{profileid}/start response codes

HTTP Response
Code Unique Code Description
202 The scan has been successfully started
403 1000 Occurs if the user does not have permission to start
a scan, or the scan is in progress
500 1030 Occurs when an attempt is made to start a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been started successfully or not.

Response Sample
String

SIEM endpoints
Use the references for REST API V7.0 SIEM endpoints.

GET /siem/local_destination_addresses
Retrieve a list offense local destination addresses currently in the system.
Table 2040. GET /siem/local_destination_addresses resource details
MIME Type
application/json

1022 QRadar API Reference Guide

Table 2041. GET /siem/local_destination_addresses request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2042. GET /siem/local_destination_addresses response codes

HTTP Response
Code Unique Code Description
200 The local destination address list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the local destination
address list was being retrieved.

Response Description

An array of local destination address objects. A local destination address object

contains the following fields:
v id - Number - The ID of the destination address.
v local_destination_ip - String - The IP address.
v magnitude - Number - The magnitude of the destination address.
v network - String - The network of the destination address.
v offense_ids - Array of Numbers - List of offense IDs the destination address is
part of.
v source_address_ids - Array of Numbers - List of source address IDs associated
with the destination address.
v event_flow_count - Number - The number of events and flows that are
associated with the destination address.

Chapter 7. Previous REST API versions 1023

 v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
[
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_ip": "String",
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_address_ids": [
42
]
}
]

GET /siem/local_destination_addresses/
{local_destination_address_id}
Retrieve an offense local destination address.
Table 2043. GET /siem/local_destination_addresses/{local_destination_address_id} resource
details
MIME Type
application/json

Table 2044. GET /siem/local_destination_addresses/{local_destination_address_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
local_destination_address_id path Required Number text/plain Required - The ID of the
(Integer) local destination address
to retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2045. GET /siem/local_destination_addresses/{local_destination_address_id}

response codes
HTTP Response
Code Unique Code Description
200 The local destination was retrieved.

1024 QRadar API Reference Guide

Table 2045. GET /siem/local_destination_addresses/{local_destination_address_id}
response codes (continued)
HTTP Response
Code Unique Code Description
404 1002 No local destination address was found for the
provided local_destination_address_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the local destination
address was being retrieved.

Response Description

A local destination address object. A local destination address object contains the
following fields:
v id - Number - The ID of the destination address.
v local_destination_ip - String - The IP address.
v magnitude - Number - The magnitude of the destination address.
v network - String - The network of the destination address.
v offense_ids - Array of Numbers - List of offense IDs the destination address is
part of.
v source_address_ids - Array of Numbers - List of source address IDs associated
with the destination address.
v event_flow_count - Number - The number of events and flows that are
associated with the destination address.
v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_ip": "String",
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_address_ids": [
42
]
}

Chapter 7. Previous REST API versions 1025

 GET /siem/offense_closing_reasons
Retrieve a list of all offense closing reasons.
Table 2046. GET /siem/offense_closing_reasons resource details
MIME Type
application/json

Table 2047. GET /siem/offense_closing_reasons request parameter details

MIME
Parameter Type Optionality Data Type Type Description
include_reserved query Optional Boolean text/plain Optional - If true,
reserved closing
reasons are included in
the response. Defaults
to false. Reserved
closing reasons cannot
be used to close an
offense.
include_deleted query Optional Boolean text/plain Optional - If true,
deleted closing reasons
are included in the
response. Defaults to
false. Deleted closing
reasons cannot be used
to close an offense.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict
the number of elements
that are returned in the
list to a specified
range. The list is
indexed starting at
zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2048. GET /siem/offense_closing_reasons response codes

HTTP Response
Code Unique Code Description
200 The closing reasons list was retrieved.
500 1020 An error occurred while the closing reasons list was
being retrieved.

1026 QRadar API Reference Guide

Response Description

An array of ClosingReason objects. A closing reason object contains the following

fields:
v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted
closing reasons cannot be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved.
Reserved closing reasons cannot be used to close an offense.

Response Sample
[
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}
]

POST /siem/offense_closing_reasons
Create an offense closing reason.
Table 2049. POST /siem/offense_closing_reasons resource details
MIME Type
application/json

Table 2050. POST /siem/offense_closing_reasons request parameter details

MIME
Parameter Type Optionality Data Type Type Description
reason query Required String text/plain Required - The text of
the offense closing
reason must be 5 - 60
characters in length.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2051. POST /siem/offense_closing_reasons response codes

HTTP Response
Code Unique Code Description
201 The closing reason was created.
409 1004 The closing reason already exists.
422 1005 A request parameter is not valid.

Chapter 7. Previous REST API versions 1027

 Table 2051. POST /siem/offense_closing_reasons response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred while attempting to create the
closing reason.

Response Description

A ClosingReason object. A closing reason object contains the following fields:

v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted
closing reasons cannot be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved.
Reserved closing reasons cannot be used to close an offense.

Response Sample
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}

GET /siem/offense_closing_reasons/{closing_reason_id}
Retrieve an offense closing reason.
Table 2052. GET /siem/offense_closing_reasons/{closing_reason_id} resource details
MIME Type
application/json

Table 2053. GET /siem/offense_closing_reasons/{closing_reason_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
closing_reason_id path Required Number text/plain Required - The closing
(Integer) reason ID.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2054. GET /siem/offense_closing_reasons/{closing_reason_id} response codes

HTTP Response
Code Unique Code Description
200 The closing reason was retrieved.

1028 QRadar API Reference Guide

Table 2054. GET /siem/offense_closing_reasons/{closing_reason_id} response
codes (continued)
HTTP Response
Code Unique Code Description
404 1002 No closing reason was found for the provided
closing_reason_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
closing reason.

Response Description

A ClosingReason object. A closing reason object contains the following fields:

v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted
closing reasons cannot be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved.
Reserved closing reasons cannot be used to close an offense.

Response Sample
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}

GET /siem/offense_saved_search_delete_tasks/{task_id}
Retrieves the delete the offense saved search task status.

Retrieves the delete offense saved search task status.

Table 2055. GET /siem/offense_saved_search_delete_tasks/{task_id} resource details
MIME Type
application/json

Table 2056. GET /siem/offense_saved_search_delete_tasks/{task_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 1029

 Table 2056. GET /siem/offense_saved_search_delete_tasks/{task_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2057. GET /siem/offense_saved_search_delete_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/siem/offense_saved_search_delete_tasks/{task_id}". A Delete Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,

1030 QRadar API Reference Guide

 CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
}

GET /siem/offense_saved_search_dependent_tasks/{task_id}
Retrieves the dependent the offense saved search task status.

Retrieves the dependent offense saved search task status.

Table 2058. GET /siem/offense_saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2059. GET /siem/offense_saved_search_dependent_tasks/{task_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
task_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 2060. GET /siem/offense_saved_search_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The delete task status was retrieved.
404 1002 The delete task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
delete task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/siem/offense_saved_search_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.

Chapter 7. Previous REST API versions 1031

 v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task.
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,

1032 QRadar API Reference Guide

 "created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

POST /siem/offense_saved _search_dependent_tasks/{task_id}

Cancels the dependent the offense saved search task.

Cancels the dependent offense saved search task.

Table 2061. POST /siem/offense_saved_search_dependent_tasks/{task_id} resource details
MIME Type
application/json

Table 2062. POST /siem/offense_saved_search_dependent_tasks/{task_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 1033

 Table 2062. POST /siem/offense_saved_search_dependent_tasks/{task_id} request
parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2063. POST /siem/offense_saved_search_dependent_tasks/{task_id} request body

details
MIME
Parameter Data Type Type Description Sample
task Object application/ null { "status": "String <one
json of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>" }

Table 2064. POST /siem/offense_saved_search_dependent_tasks/{task_id} response codes

HTTP Response
Code Unique Code Description
200 The dependent task status was retrieved.
404 1002 The dependent task status does not exist.
409 1004 The task is in a completed state.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
dependent task status.

Response Description

A Dependent Task Status object and the location header set to the task status url
"/api/siem/offense_saved_search_dependent_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.

1034 QRadar API Reference Guide

v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state the sub-task is in.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",

Chapter 7. Previous REST API versions 1035

 "task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

GET /siem/offense_saved _search_dependent_tasks/{task_id}/

results
Retrieves the offense saved search dependent task results.

Retrieves the offense saved search dependent task results.

Table 2065. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results resource
details
MIME Type
application/json

Table 2066. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

1036 QRadar API Reference Guide

Table 2066. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results request
parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2067. GET /siem/offense_saved_search_dependent_tasks/{task_id}/results response

codes
HTTP Response
Code Unique Code Description
200 The offense saved search dependents were retrieved
404 1002 The dependent task status does not exist.
500 1020 An error occurred during the attempt to retrieve the
offense saved searches.

Response Description

An list of Dependent objects. A Dependent object contains the following fields:

v dependent_id - String - The ID of the dependent resource.
v dependent_name - String - The name of the dependent resource (default
resources can have localized names).
v dependent_owner - String - The owner of the dependent resource
v dependent_type - String - The type of the dependent resource
v dependent_database - String - The database of the dependent resource.
v dependent_group_ids - Array of Longs - List of groups that the dependent
resource belongs to.
v user_has_edit_permissions - Boolean - True if the user who created the task has
permission to edit this dependent resource.

Response Sample
[
{
"blocking": true,
"dependent_database": "String <one of: EVENTS, FLOWS>",
"dependent_group_ids": [
42
],
"dependent_id": "String",
"dependent_name": "String",
"dependent_owner": "String",
"dependent_type": "String <one of:
ARIEL_SAVED_SEARCH,
ASSET_SAVED_SEARCH,
OFFENSE_SAVED_SEARCH,

Chapter 7. Previous REST API versions 1037

 VULNERABILITY_SAVED_SEARCH,
QRM_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
CUSTOM_RULE_GROUP,
EVENT_ARIEL_SAVED_SEARCH_GROUP,
FLOW_ARIEL_SAVED_SEARCH_GROUP,
LOG_SOURCE_GROUP, MODEL_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QUESTION_GROUP,
REPORT_GROUP,
SIMULATION_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP,
ASSIGNED_OFFENSE,
ASSIGNED_VULNERABILITY,
AUTHORIZED_SERVICE,
BUILDING_BLOCK,
CRE_RULE,
CRE_ADE_RULE,
EVENT_REGEX_PROPERTY,
EVENT_CALCULATED_PROPERTY,
FLOW_REGEX_PROPERTY,
FLOW_CALCULATED_PROPERTY,
DASHBOARD,
GV_REFERENCE,
REPORT,
REFERENCE_DATA,
REFERENCE_DATA_MAP_OF_SETS,
REFERENCE_DATA_MAPS,
REFERENCE_DATA_SETS,
REFERENCE_DATA_TABLES,
REFERENCE_DATA_RESPONSE,
REFERENCE_SET_RESPONSE,
EVENT_RETENTION_BUCKET,
FLOW_RETENTION_BUCKET,
ROUTING_RULE,
STORE_AND_FORWARD_POLICY,
USER,
HISTORICAL_PROFILE,
OFFENSE_TYPE>",
"user_has_edit_permissions": true
}
]

GET /siem/offense_saved_search_groups
Retrieves a list of offense saved search groups.

Retrieves a list of offense saved search groups.

Table 2068. GET /siem/offense_saved_search_groups resource details
MIME Type
application/json

1038 QRadar API Reference Guide

Table 2069. GET /siem/offense_saved_search_groups request parameter details
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2070. GET /siem/offense_saved_search_groups response codes

HTTP Response
Code Unique Code Description
200 The offense saved search groups were returned.
500 1020 An error occurred during the attempt to retrieve the
offense saved search groups.

Response Description

List of the Group objects. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Chapter 7. Previous REST API versions 1039

 Response Sample
[
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}
]

GET /siem/offense_saved_search_groups/{group_id}
Retrieves an offense saved search group.

Retrieves an offense saved search group.

Table 2071. GET /siem/offense_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 2072. GET /siem/offense_saved_search_groups/{group_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

1040 QRadar API Reference Guide

Table 2073. GET /siem/offense_saved_search_groups/{group_id} response codes
HTTP Response
Code Unique Code Description
200 The offense saved search group was retrieved.
404 1002 The offense saved search group does not exist.
500 1020 An error occurred during the attempt to retrieve the
offense saved search group.

Response Description

A single Group object. A Group object contains the following fields:

v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Chapter 7. Previous REST API versions 1041

 POST /siem/offense_saved_search_groups/{group_id}
Updates the owner of an offense saved search group.

Updates the owner of an offense saved search group.

Table 2074. POST /siem/offense_saved_search_groups/{group_id} resource details
MIME Type
application/json

Table 2075. POST /siem/offense_saved_search_groups/{group_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2076. POST /siem/offense_saved_search_groups/{group_id} request body details

MIME
Parameter Data Type Type Description Sample
group Object application/ Required - Group object { "child_groups": [ 42 ], "child_items": [ "String"
json with the owner set to a ], "description": "String", "id": 42, "level": 42,
valid deployed user. "name": "String", "owner": "String", "parent_id":
42, "type": "String <one of:
LOG_SOURCE_GROUP, REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Table 2077. POST /siem/offense_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
200 The offense saved search group was updated.
404 1002 The offense saved search group does not exist.
409 1004 The provided user does not have the required
capabilities to own the offense saved search group.
422 1005 A request parameter is not valid.

1042 QRadar API Reference Guide

Table 2077. POST /siem/offense_saved_search_groups/{group_id} response
codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred during the attempt to update the
offense saved search group.

Response Description

The updated Group object. A Group object contains the following fields:
v id - Long - The ID of the group.
v parent_id - Long - The ID of the parent group (default resources can have
localized names).
v type - String - The type of the group.
v level - Long - The depth of the group in the group hierarchy.
v name - String - The name of the group (default resources can have localized
names).
v description - String - The description of the group (default resources can have
localized names).
v owner - String - The owner of the group.
v modified_time - Long - The time in milliseconds since epoch since the group
was last modified.
v child_group_ids - Array of Longs - List of the child group IDs.

Response Sample
{
"child_groups": [
42
],
"child_items": [
"String"
],
"description": "String",
"id": 42,
"level": 42,
"modified_time": 42,
"name": "String",
"owner": "String",
"parent_id": 42,
"type": "String <one of: LOG_SOURCE_GROUP,
REPORT_GROUP,
RULE_GROUP,
EVENT_SAVED_SEARCH_GROUP,
FLOW_SAVED_SEARCH_GROUP,
OFFENSE_SAVED_SEARCH_GROUP,
QRM_SAVED_SEARCH_GROUP,
MODEL_SAVED_SEARCH_GROUP,
QUESTION_SAVED_SEARCH_GROUP,
SIMULATION_SAVED_SEARCH_GROUP,
TOPOLOGY_SAVED_SEARCH_GROUP,
ASSET_SAVED_SEARCH_GROUP,
VULNERABILITY_SAVED_SEARCH_GROUP>"
}

Chapter 7. Previous REST API versions 1043

 DELETE /siem/offense_saved_search_groups/{group_id}
Deletes an offense saved search group.

Deletes an offense saved search group.

Table 2078. DELETE /siem/offense_saved_search_groups/{group_id} resource details
MIME Type
text/plain

Table 2079. DELETE /siem/offense_saved_search_groups/{group_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
group_id path Required Number text/plain null
(Integer)

Table 2080. DELETE /siem/offense_saved_search_groups/{group_id} response codes

HTTP Response
Code Unique Code Description
204 The offense saved search group has been deleted.
404 1002 The offense saved search group does not exist.
409 1004 null
500 1020 An error occurred during the attempt to delete the
offense saved search group.

Response Description

Response Sample

GET /siem/offense_saved_searches
Retrieves a list of offense saved searches.

Retrieves a list of offense saved searches.

Table 2081. GET /siem/offense_saved_searches resource details
MIME Type
application/json

Table 2082. GET /siem/offense_saved_searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

1044 QRadar API Reference Guide

Table 2082. GET /siem/offense_saved_searches request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2083. GET /siem/offense_saved_searches response codes

HTTP Response
Code Unique Code Description
200 The offense saved searches were retrieved.
500 1020 An error occurred during the attempt to retrieve the
offense saved searches.

Response Description

An array of offense saved search objects. An offense saved search object contains
the following fields:
v id - Long - The ID of the offense saved search.
v name - String - The name of the offense saved search.
v owner - String - The owner of the offense saved search.

Response Sample
[
{
"id": 42,
"name": "String",
"owner": "String"
}
]

GET /siem/offense_saved_searches/{id}
Retrieves an offense saved search.

Retrieves an offense saved search.

Table 2084. GET /siem/offense_saved_searches/{id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1045

 Table 2085. GET /siem/offense_saved_searches/{id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2086. GET /siem/offense_saved_searches/{id} response codes

HTTP Response
Code Unique Code Description
200 The offense saved search was retrieved.
404 1002 The offense saved search does not exist.
500 1020 An error occurred during the attempt to retrieve the
offense saved search.

Response Description

The offense saved search after it has been retrieved. An offense saved search object
contains the following fields:
v id - Long - The ID of the offense saved search.
v name - String - The name of the offense saved search.
v owner - String - The owner of the offense saved search.

Response Sample
{
"id": 42,
"name": "String",
"owner": "String"
}

1046 QRadar API Reference Guide

POST /siem/offense_saved_searches/{id}
Updates the offense saved search owner only.

Updates the offense saved search owner only.

Table 2087. POST /siem/offense_saved_searches/{id} resource details
MIME Type
application/json

Table 2088. POST /siem/offense_saved_searches/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this
parameter to restrict
the number of
elements that are
returned in the list to a
specified range. The
list is indexed starting
at zero.
filter header Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2089. POST /siem/offense_saved_searches/{id} request body details

MIME
Parameter Data Type Type Description Sample
saved_search Object application/ null { "id": "1", "name":
json "String", "is_shared":
true, "owner": "String"
}

Table 2090. POST /siem/offense_saved_searches/{id} response codes

HTTP Response
Code Unique Code Description
200 The offense saved search was updated.

Chapter 7. Previous REST API versions 1047

 Table 2090. POST /siem/offense_saved_searches/{id} response codes (continued)
HTTP Response
Code Unique Code Description
403 1009 You do not have the required capabilities to update
the offense saved search.
404 1002 The offense saved search does not exist.
409 1004 The provided user does not have the required
capabilities to own the offense saved search.
422 1005 A request parameter is not valid.
500 1020 An error occurred during the attempt to update the
offense saved search.

Response Description

The offense saved search after it is updated. An offense saved search object
contains the following fields:
v id - Long - The ID of the offense saved search.
v name - String - The name of the offense saved search.
v owner - String - The owner of the offense saved search.

Response Sample
{
"id": 42,
"name": "String",
"owner": "String"
}

DELETE /siem/offense_saved_searches/{id}
Deletes an offense saved search. To ensure safe deletion, a dependency check is
carried out. This check might take some time. An asynchronous task is started for
this check.

Deletes an offense saved search. To ensure safe deletion, a dependency check is

carried out. This check might take some time. An asynchronous task is started for
this check.
Table 2091. DELETE /siem/offense_saved_searches/{id} resource details
MIME Type
application/json

Table 2092. DELETE /siem/offense_saved_searches/{id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

1048 QRadar API Reference Guide

Table 2092. DELETE /siem/offense_saved_searches/{id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2093. DELETE /siem/offense_saved_searches/{id} response codes

HTTP Response
Code Unique Code Description
202 The offense saved search delete command was
accepted and is in progress.
403 1009 You do not have the required capabilities to delete
the offense saved search.
404 1002 The offense saved search does not exist.
500 1020 An error occurred during the attempt to delete the
offense saved search.

Response Description

A Delete Task Status object and the location header set to the task status url
"/api/siem/offense_saved_search_delete_tasks/{task_id}". A Delete Task Status
object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.

Chapter 7. Previous REST API versions 1049

 Response Sample
{
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"message": "String",
"modified": 42,
"name": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /siem/offense_saved_searches/{id}/dependents
Retrieves the objects that depend on an offense saved search.

Retrieves the objects that depend on an offense saved search.

Table 2094. GET /siem/offense_saved_searches/{id}/dependents resource details
MIME Type
application/json

Table 2095. GET /siem/offense_saved_searches/{id}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2096. GET /siem/offense_saved_searches/{id}/dependents response codes

HTTP Response
Code Unique Code Description
202 The offense saved search dependents retrieval was
accepted and is in progress.
404 1002 The offense saved search does not exist.

1050 QRadar API Reference Guide

Table 2096. GET /siem/offense_saved_searches/{id}/dependents response
codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred during the attempt to initiate the
offense saved search dependents retrieval task.

Response Description

A Dependents Task Status object and the location header set to the task status url
"/api/siem/offense_saved_search_dependents_tasks/{task_id}". A Dependent Task
Status object contains the following fields:
v id - Long - The ID of the task.
v message - String - The localized task message.
v status - String - The current state of the task.
v name - String - The name of the task.
v created_by - String - The name of the user who started the task.
v cancelled_by - String - The name of the user who requested to cancel the task.
v created - Long - The time in milliseconds since epoch since the task was created.
v started - Long - The time in milliseconds since epoch since the task was started.
v modified - Long - The time in milliseconds since epoch since the task was
modified.
v completed - Long - The time in milliseconds since epoch since the task was
completed.
v number_of_dependents - Long - The number of dependents found. The value is
null until the task completes.
v maximum - Long - The maximum number of objects to check for dependency.
v progress - Long - The number of objects checked for dependency.
v task_components - Array - An array of task component objects. A task
component object contains the following fields:
message - String - The localized sub-task status message.
status - String - The current state of the sub-task.
sub_task_type - String - The type of the sub-task
maximum - Long - The maximum number of objects to check for dependency.
progress - Long - The number of objects that were checked for dependency.
created - Long - The time in milliseconds since epoch since the sub-task was
created.
started - Long - The time in milliseconds since epoch since the sub-task was
started.
modified - Long - The time in milliseconds since epoch since the sub-task
was modified.
completed - Long - The time in milliseconds since epoch since the sub-task
was completed.

Response Sample
{
"cancelled_by": "String",
"completed": 42,
"created": 42,

Chapter 7. Previous REST API versions 1051

 "created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"number_of_dependents": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
CONFLICT,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_sub_type": "String <one of:
FIND_DEPENDENT_ARIEL_SAVED_SEARCHES,
FIND_DEPENDENT_OFFENSE_SAVED_SEARCHES,
FIND_DEPENDENT_ASSET_SAVED_SEARCHES,
FIND_DEPENDENT_VULNERABILITY_SAVED_SEARCHES,
FIND_DEPENDENT_ADE_RULES,
FIND_DEPENDENT_RULES,
FIND_DEPENDENT_CALCULATED_PROPERTIES,
FIND_DEPENDENT_LOG_SOURCE_GROUPS,
FIND_DEPENDENT_CUSTOM_PROPERTIES,
FIND_DEPENDENT_REPORTS,
FIND_DEPENDENT_DASHBOARDS,
FIND_DEPENDENT_STORE_AND_FORWARD_POLICIES,
FIND_DEPENDENT_AUTHORIZED_SERVICES,
FIND_DEPENDENT_OFFENSE_TYPES,
FIND_DEPENDENT_ASSIGNED_OFFENSES,
FIND_DEPENDENT_VULNERABILITIES,
FIND_DEPENDENT_GROUPS,
FIND_DEPENDENT_HISTORICAL_CORRELATION_PROFILES>"
}
]
}

1052 QRadar API Reference Guide

GET /siem/offenses
Retrieve a list of offenses currently in the system.

Retrieve a list of offenses currently in the system.

Table 2097. GET /siem/offenses resource details
MIME Type
application/json

Table 2098. GET /siem/offenses request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2099. GET /siem/offenses response codes

HTTP Response
Code Unique Code Description
200 The offense list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the offense list was being
retrieved.

Response Description

An array of Offense objects. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense. Filtering is not supported
on this field.

Chapter 7. Previous REST API versions 1053

 v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the
offense.
v category_count - Number - The number of event categories that are associated
with the offense.
v policy_category_count - Number - The number of policy event categories that
are associated with the offense.
v security_category_count - Number - The number of security event categories
that are associated with the offense.
v close_time - Number - The number of milliseconds since epoch when the
offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason
the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are
associated with the offense.
v source_network - String - The source network that is associated with the offense.
Filtering is not supported on this field.
v device_count - Number - The number of devices that are associated with the
offense.
v event_count - Number - The number of events that are associated with the
offense.
v flow_count - Number - The number of flows that are associated with the
offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when
the offense was last updated.
v local_destination_count - Number - The number of local destinations that are
associated with the offense.
v offense_source - String - The source of the offense. Filtering is not supported on
this field.
v offense_type - Number - A number that represents the offense type. Use GET
/siem/offense_types to retrieve the list.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that
are associated wit the offense.
v source_count - Number - The number of sources that are associated with the
offense.
v start_time - Number - The number of milliseconds since epoch when the offense
was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or
"CLOSED". The following operators are not supported when you filter on this
field: "<", ">", "<=", ">=", "BETWEEN".

1054 QRadar API Reference Guide

v username_count - The number of usernames that are associated with the
offense.
v source_address_ids - Array of numbers -The source address IDs that are
associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination
address IDs that are associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is
associated with a single domain.

Response Sample
[{"credibility": 42,
"source_address_ids": [42],
"remote_destination_count": 42,
"local_destination_address_ids": [42],
"assigned_to": "String",
"local_destination_count": 42,
"source_count": 42,
"start_time": 42,
"id": 42,
"destination_networks": ["String"],
"inactive": true,
"protected": true,
"policy_category_count": 42,
"description": "String",
"category_count": 42,
"domain_id": 42,
"relevance": 42,
"device_count": 42,
"security_category_count": 42,
"flow_count": 42,
"event_count": 42,
"offense_source": "String",
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"magnitude": 42,
"severity": 42,
"username_count": 42,
"closing_user": "String",
"follow_up": true,
"closing_reason_id": 42,
"close_time": 42,
"source_network": "String",
"last_updated_time": 42,
"categories": ["String"],
"offense_type": 42
}]

GET /siem/offenses/{offense_id}
Retrieve an offense structure that describes properties of an offense

Retrieve an offense structure that describes properties of an offense

Table 2100. GET /siem/offenses/{offense_id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1055

 Table 2101. GET /siem/offenses/{offense_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2102. GET /siem/offenses/{offense_id} response codes

HTTP Response
Code Unique Code Description
200 The offense was retrieved.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the offense was being
retrieved.

Response Description

An Offense object. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the
offense.
v category_count - Number - The number of event categories that are associated
with the offense.
v policy_category_count - Number - The number of policy event categories that
are associated with the offense.
v security_category_count - Number - The number of security event categories
that are associated with the offense.
v close_time - Number - The number of milliseconds since epoch when the
offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason
the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.

1056 QRadar API Reference Guide

v destination_networks - Array of strings - The destination networks that are
associated with the offense.
v source_network - String - The source network that is associated with the offense.
v device_count - Number - The number of devices that are associated with the
offense.
v event_count - Number - The number of events that are associated with the
offense.
v flow_count - Number - The number of flows that are associated with the
offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when
the offense was last updated.
v local_destination_count - Number - The number of local destinations that are
associated with the offense.
v offense_source - String - The source of the offense.
v offense_type - Number - A number that represents the offense type. Use GET
/siem/offense_types to retrieve the list.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that
are associated wit the offense.
v source_count - Number - The number of sources that are associated with the
offense.
v start_time - Number - The number of milliseconds since epoch when the offense
was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or
"CLOSED".
v username_count - The number of usernames that are associated with the
offense.
v source_address_ids - Array of numbers -The source address IDs that are
associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination
address IDs that are associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is
associated with a single domain.

Response Sample
{
"assigned_to": "String",
"categories": [
"String"
],
"category_count": 42,
"close_time": 42,
"closing_reason_id": 42,
"closing_user": "String",
"credibility": 42,
"description": "String",
"destination_networks": [
"String"
],
"device_count": 42,
"domain_id": 42,
"event_count": 42,

Chapter 7. Previous REST API versions 1057

 "flow_count": 42,
"follow_up": true,
"id": 42,
"inactive": true,
"last_updated_time": 42,
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"magnitude": 42,
"offense_source": "String",
"offense_type": 42,
"policy_category_count": 42,
"protected": true,
"relevance": 42,
"remote_destination_count": 42,
"security_category_count": 42,
"severity": 42,
"source_address_ids": [
42
],
"source_count": 42,
"source_network": "String",
"start_time": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"username_count": 42
}

GET /siem/offenses/{offense_id}/notes
Retrieve a list of notes for an offense.
Table 2103. GET /siem/offenses/{offense_id}/notes resource details
MIME Type
application/json

Table 2104. GET /siem/offenses/{offense_id}/notes request parameter details

MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID to retrieve the notes
for.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

1058 QRadar API Reference Guide

Table 2104. GET /siem/offenses/{offense_id}/notes request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2105. GET /siem/offenses/{offense_id}/notes response codes

HTTP Response
Code Unique Code Description
200 The note list was retrieved.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the note list was being
retrieved.

Response Description

An array of Note objects. A Note object contains the following fields:

v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note
was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
[
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}
]

GET /siem/offenses/{offense_id}/notes/{note_id}
Retrieve a note for an offense.
Table 2106. GET /siem/offenses/{offense_id}/notes/{note_id} resource details
MIME Type
application/json

Table 2107. GET /siem/offenses/{offense_id}/notes/{note_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID to retrieve the note
from.

Chapter 7. Previous REST API versions 1059

 Table 2107. GET /siem/offenses/{offense_id}/notes/{note_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
note_id path Required Number text/plain Required - The note ID.
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2108. GET /siem/offenses/{offense_id}/notes/{note_id} response codes

HTTP Response
Code Unique Code Description
200 The note was retrieved.
404 1002 No offense was found for the provided offense_id.
404 1003 No note was found for the provided note_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
note.

Response Description

The Note object for the note ID. A Note object contains the following fields:
v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note
was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}

POST /siem/offenses/{offense_id}/notes
Create a note on an offense.
Table 2109. POST /siem/offenses/{offense_id}/notes resource details
MIME Type
application/json

1060 QRadar API Reference Guide

Table 2110. POST /siem/offenses/{offense_id}/notes request parameter details
MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID to add the note to.
note_text query Required String text/plain Required - The note
text.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2111. POST /siem/offenses/{offense_id}/notes response codes

HTTP Response
Code Unique Code Description
201 The note was created.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to create the
note.

Response Description

The Note object that was created. A Note object contains the following fields:
v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note
was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}

POST /siem/offenses/{offense_id}
Update an offense.
Table 2112. POST /siem/offenses/{offense_id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1061

 Table 2113. POST /siem/offenses/{offense_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The ID of
(Integer) the offense to update.
protected query Optional Boolean text/plain Optional - Set to true
to protect the offense.
follow_up query Optional Boolean text/plain Optional - Set to true
to set the follow up
flag on the offense.
status query Optional String text/plain Optional - The new
status for the offense.
Set to one of: OPEN,
HIDDEN, CLOSED.
When the status of an
offense is being set to
CLOSED, a valid
closing_reason_id must
be provided. To hide
an offense, use the
HIDDEN status. To
show a previously
hidden offense, use the
OPEN status.
closing_reason_id query Optional Number text/plain Optional - The ID of a
(Integer) closing reason. You
must provide a valid
closing_reason_id
when you close an
offense.
assigned_to query Optional String text/plain Optional - A user to
assign the offense to.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2114. POST /siem/offenses/{offense_id} response codes

HTTP Response
Code Unique Code Description
200 The offense was updated.
403 1009 User does not have the required capability to assign an
offense.
404 1002 No offense was found for the provided offense_id.
409 1008 Request cannot be completed due to the state of the
offense.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the offense was being updated.

1062 QRadar API Reference Guide

Response Description

An updated Offense object. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the
offense.
v category_count - Number - The number of event categories that are associated
with the offense.
v policy_category_count - Number - The number of policy event categories that
are associated with the offense.
v security_category_count - Number - The number of security event categories
that are associated with the offense.
v close_time - Number - The number of milliseconds since epoch when the
offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason
the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are
associated with the offense.
v source_network - String - The source network that is associated with the offense.
v device_count - Number - The number of devices that are associated with the
offense.
v event_count - Number - The number of events that are associated with the
offense.
v flow_count - Number - The number of flows that are associated with the
offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when
the offense was last updated.
v local_destination_count - Number - The number of local destinations that are
associated with the offense.
v offense_source - String - The source of the offense.
v offense_type - Number - A number that represents the offense type. See the
Offense Type Codes table for the code to offense type mapping.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that
are associated wit the offense.
v source_count - Number - The number of sources that are associated with the
offense.
v start_time - Number - The number of milliseconds since epoch when the offense
was started.

Chapter 7. Previous REST API versions 1063

 v status - String - The status of the offense. One of "OPEN", "HIDDEN", or
"CLOSED".
v username_count - The number of usernames that are associated with the
offense.
v source_address_ids - Array of numbers -The source address IDs that are
associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination
address IDs that are associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is
associated with a single domain.
Table 2115. Offense Type Codes
Code Offense Type
0 Source IP
1 Destination IP
2 Event Name
3 Username
4 Source MAC Address
5 Destination MAC Address
6 Log Source
7 Hostname
8 Source Port
9 Destination Port
10 Source IPv6
11 Destination IPv6
12 Source ASN
13 Destination ASN
14 Rule
15 App Id
18 Scheduled Search

Response Sample
{
"assigned_to": "String",
"categories": [
"String"
],
"category_count": 42,
"close_time": 42,
"closing_reason_id": 42,
"closing_user": "String",
"credibility": 42,
"description": "String",
"destination_networks": [
"String"
],
"device_count": 42,
"domain_id": 42,
"event_count": 42,
"flow_count": 42,
"follow_up": true,

1064 QRadar API Reference Guide

 "id": 42,
"inactive": true,
"last_updated_time": 42,
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"magnitude": 42,
"offense_source": "String",
"offense_type": 42,
"policy_category_count": 42,
"protected": true,
"relevance": 42,
"remote_destination_count": 42,
"security_category_count": 42,
"severity": 42,
"source_address_ids": [
42
],
"source_count": 42,
"source_network": "String",
"start_time": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"username_count": 42
}

GET /siem/offense_types
Retrieve all the Offense Types

Retrieve all Offense Types

Table 2116. GET /siem/offense_types resource details
MIME Type
application/json

Table 2117. GET /siem/offense_types request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 1065

 Table 2117. GET /siem/offense_types request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
sort query Optional String text/plain Optional - This
parameter is used to
sort the elements in a
list.

Table 2118. GET /siem/offense_types response codes

HTTP Response
Code Unique Code Description
200 The requested offense types list has been retrieved.
422 1005 A request parameter is not valid.
422 1012 The selected field cannot be used for sorting or it
does not exist.
500 1020 An error occurred while attempting to retrieve the
offense type list.

Response Description

The Offense Types that exist at the moment. Offense types may include custom
flow/event properties only if they have been selected as part of a rule action or
rule response limiter.
v id - Number - The ID of the offense type and what is presented in the offense's
offense_type.
v property_name - String - The name of the event or flow property represented by
this offense type for flow or event properties or the unique identifier for custom
flow or event properties.
v name - String - The offense type's name.
v database_type - String - Database where this type is present. Possible values are:
EVENTS, FLOWS, or COMMON (if it belongs to both events and flows)
v custom - boolean - True if the offense type is based on a custom flow or event
property.
The following field can be sorted on: id.

Response Sample
[
{
"custom": true,
"database_type": "String <one of: EVENTS,
FLOWS,
COMMON>",
"id": 42,

1066 QRadar API Reference Guide

 "name": "String",
"property_name": "String"
}
]

GET /siem/offense_types/{offense_type_id}
Retrieve an offense type structure that describes the properties of an offense type.

Retrieve an Offense Type

Table 2119. GET /siem/offense_types/{offense_type_id} resource details
MIME Type
application/json

Table 2120. GET /siem/offense_types/{offense_type_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_type_id path Required Number text/plain Required - int - The
(Integer) offense type id.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2121. GET /siem/offense_types/{offense_type_id} response codes

HTTP Response
Code Unique Code Description
200 The requested offense type has been retrieved.
404 1002 The requested offense type cannot be found.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
requested offense type.

Response Description

The Offense Type with the entered offense_type_id.

v id - Number - The ID of the offense type and what is presented in the offense's
offense_type.
v property_name - String - The name of the of the event or flow property
represented by this offense type for flow or event properties or the unique
identifier for custom flow or event properties.
v name - String - The offense type's name.
v database_type - String - Database where this type is present. Possible values are:
EVENTS, FLOWS, or COMMON (if it belongs to both events and flows)
v custom - boolean - True if the offense type is based on a custom flow or event
property.

Chapter 7. Previous REST API versions 1067

 Response Sample
{
"custom": true,
"database_type": "String <one of: EVENTS,
FLOWS,
COMMON>",
"id": 42,
"name": "String",
"property_name": "String"
}

GET /siem/source_addresses
Retrieve a list offense source addresses currently in the system.
Table 2122. GET /siem/source_addresses resource details
MIME Type
application/json

Table 2123. GET /siem/source_addresses request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2124. GET /siem/source_addresses response codes

HTTP Response
Code Unique Code Description
200 The source address list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the source address list was
being retrieved.

1068 QRadar API Reference Guide

Response Description

An array of source address objects. A source address object contains the following
fields:
v id - Number - The ID of the source.
v source_ip - String - The IP address.
v magnitude - Number - The magnitude of the source address.
v network - String - The network of the source address.
v offense_ids - Array of Numbers - List of offense IDs the source is part of.
v local_destination_address_ids - Array of Numbers - List of local destination
address IDs associated with the source address.
v event_flow_count - Number - The number of events and flows that are
associated with the source.
v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
[
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_address_ids": [
42
],
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_ip": "String"
}
]

GET /siem/source_addresses/{source_address_id}
Retrieve an offense source address.
Table 2125. GET /siem/source_addresses/{source_address_id} resource details
MIME Type
application/json

Table 2126. GET /siem/source_addresses/{source_address_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
source_address_id path Required Number text/plain Required - The ID of the
(Integer) source address to
retrieve.

Chapter 7. Previous REST API versions 1069

 Table 2126. GET /siem/source_addresses/{source_address_id} request parameter
details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2127. GET /siem/source_addresses/{source_address_id} response codes

HTTP Response
Code Unique Code Description
200 The source address was retrieved.
404 1002 No source address was found for the provided
source_address_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the source address was
being retrieved.

Response Description

A source address object. A source address object contains the following fields:
v id - Number - The ID of the source.
v source_ip - String - The IP address.
v magnitude - Number - The magnitude of the source address.
v network - String - The network of the source address.
v offense_ids - Array of Numbers - List of offense IDs the source is part of.
v local_destination_address_ids - Array of Numbers - List of local destination
address IDs associated with the source address.
v event_flow_count - Number - The number of events and flows that are
associated with the source.
v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_address_ids": [
42
],

1070 QRadar API Reference Guide

 "magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_ip": "String"
}

Staged configuration endpoints

Use the references for REST API V7.0 staged configuration endpoints.

GET /staged_config/deploy_status
Retrieves the status of a deploy in progress.

Retrieves the status of a deploy in progress.

Table 2128. GET /staged_config/deploy_status resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 2129. GET /staged_config/deploy_status response codes
HTTP Response
Code Unique Code Description
200 The event Ariel saved search group was updated.
500 1020 An error occurred during the attempt to retrieve the
status of the running deploy,

Response Description

The deploy status object. A deploy status object contains the following fields:
v initiated_by - String - The name of the user who initiated the deploy.
v initiated_from - String - The hostname from where the deploy was initiated.
v type - String - The type of deploy: FULL or INCREMENTAL.
v status - String - The status of the deploy: UNKNOWN, START, DONE.
v hosts - Map of < String, List of String > - A map of status states and a list of
hosts.
v error_message - String - The deployment error message.
v has_errors - Boolean - True if the deploy has encountered an error.
v percent_complete - Integer - The percentage of completion of the deploy. ( 0 -
100 )

Response Sample
{
"hosts": [
{
"host_status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>",
"ip": "String",
"status": "String <one of: SUCCESS,
INITIATING,

Chapter 7. Previous REST API versions 1071

 IN_PROGRESS,
TIMED_OUT, ERROR>"
}
],
"initiated_by": "String",
"initiated_from": "String",
"percent_complete": 42,
"status": "String <one of: INITIALIZING,
IN_PROGRESS,
COMPLETE>",
"type": "String <one of: INCREMENTAL, FULL>"
}

POST /staged_config/deploy_status
Executes a deploy.

Executes a deploy.
Table 2130. POST /staged_config/deploy_status resource details
MIME Type
application/json

Table 2131. POST /staged_config/deploy_status request body details

MIME
Parameter Data Type Type Description Sample
deploy_status Object application/ null { "hosts": [ {
json "host_status": "String
<one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT,
ERROR>", "ip":
"String", "status":
"String <one of:
SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT,
ERROR>" } ],
"initiated_by": "String",
"initiated_from":
"String",
"percent_complete":
42, "status": "String
<one of:
INITIALIZING,
IN_PROGRESS,
COMPLETE>", "type":
"String <one of:
INCREMENTAL,
FULL>" }

Table 2132. POST /staged_config/deploy_status response codes

HTTP Response
Code Unique Code Description
200 The deploy was scheduled.

1072 QRadar API Reference Guide

Table 2132. POST /staged_config/deploy_status response codes (continued)
HTTP Response
Code Unique Code Description
409 1002 Theere already exists a deploy in action, or there are
no changes to deploy.
409 1003 null
409 1004 null
422 1005 null
500 1020 An error occurred during the attempt to run the
deploy

Response Description

The deploy status object. A deploy status object contains the following fields:
v initiated_by - String - The name of the user who initiated the deploy.
v initiated_from - String - The hostname from where the deploy was initiated.
v type - String - The type of deploy: FULL or INCREMENTAL.
v status - String - The status of the deploy: UNKNOWN, START, DONE.
v hosts - Map of < String, List of String > - A map of status states and a list of
hosts.
v error_message - String - The deployment error message.
v has_errors - Boolean - True if the deploy has encountered an error.
v percent_complete - Integer - The percentage of completion of the deploy. ( 0 -
100 )

Response Sample
{
"hosts": [
{
"host_status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>",
"ip": "String",
"status": "String <one of: SUCCESS,
INITIATING,
IN_PROGRESS,
TIMED_OUT, ERROR>"
}
],
"initiated_by": "String",
"initiated_from": "String",
"percent_complete": 42,
"status": "String <one of: INITIALIZING,
IN_PROGRESS,
COMPLETE>",
"type": "String <one of: INCREMENTAL, FULL>"
}

GET /staged_config/global_system_notifications
Retrieves a list of all staged global system notifications.

Retrieves the list of staged global system notifications

Chapter 7. Previous REST API versions 1073

 Table 2133. GET /staged_config/global_system_notifications resource details
MIME Type
application/json

Table 2134. GET /staged_config/global_system_notifications request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2135. GET /staged_config/global_system_notifications response codes

HTTP Response
Code Unique Code Description
200 The staged global system notifications list was
successfully retrieved.
500 1020 An internal server error occurred while retrieving
the list of staged global system notifications.

Response Description

A list of all staged global system notifications.

Response Sample
[
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",

1074 QRadar API Reference Guide

 "operator": "String",
"value": 42.5
}
]

GET /staged_config/global_system_notifications/{notification_id}
Retrieves a staged global system notification by ID.

Retrieves a staged global system notification by ID.

Table 2136. GET /staged_config/global_system_notifications/{notification_id} resource details
MIME Type
application/json

Table 2137. GET /staged_config/global_system_notifications/{notification_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
notification_id path Required Number text/plain ID that is used for
(Integer) retrieving a staged global
system notification.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2138. GET /staged_config/global_system_notifications/{notification_id} response codes

HTTP Response
Code Unique Code Description
200 The staged global system notification was
successfully retrieved.
404 1002 No staged global system notification was found for
the provided notification ID.
500 1020 An error occurred while the notification was being
retrieved.

Response Description

The associated staged global system notification object.

Response Sample
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}

Chapter 7. Previous REST API versions 1075

 POST /staged_config/global_system_notifications/
{notification_id}
Updates an existing staged global system notification.

Updates an existing staged global system notification.

Table 2139. POST /staged_config/global_system_notifications/{notification_id} resource
details
MIME Type
application/json

Table 2140. POST /staged_config/global_system_notifications/{notification_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
notification_id path Required Number text/plain ID that is used for
(Integer) updating a staged global
system notification.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2141. POST /staged_config/global_system_notifications/{notification_id} request body

details
MIME
Parameter Data Type Type Description Sample
notification Object application/ The updated global { "id": 1, "name":
json system notification "Systemloadover1minute",
object. "operator": "GT", "value": 3.6,
"message": "If your system
continues to exhibit this behavior,
please contact Customer Support.",
"enabled": true, "isDefault": true }

Table 2142. POST /staged_config/global_system_notifications/{notification_id} response

codes
HTTP Response
Code Unique Code Description
200 The staged global system notification was
successfully updated.
404 1002 No staged global system notification was found for
the provided notification ID.
422 1005 A request parameter is invalid.
500 1020 An error occurred while the notification was being
retrieved.

1076 QRadar API Reference Guide

Response Description

The associated updated staged global system notification object.

Response Sample
{
"default": true,
"enabled": true,
"id": 42,
"message": "String",
"name": "String",
"operator": "String",
"value": 42.5
}

DELETE /staged_config/yara_rules
Deletes all Yara rules from the QRadar system.

Deletes all Yara rules from the QRadar system.

Table 2143. DELETE /staged_config/yara_rules resource details
MIME Type
text/plain

There are no parameters for this endpoint.

Table 2144. DELETE /staged_config/yara_rules response codes
HTTP Response
Code Unique Code Description
204 Yara rules were successfully deleted from the
system.
500 1020 An error occurred during the attempt to delete the
Yara rules.

Response Description

In case of an error, the method returns an exception.

Response Sample

PUT /staged_config/yara_rules
Uploads the supplied Yara rule file to the QRadar system. If the provided Yara file
is empty - all rules are deleted from the system.

Uploads the supplied Yara rule file to the QRadar system.

Table 2145. PUT /staged_config/yara_rules resource details
MIME Type
text/plain

Chapter 7. Previous REST API versions 1077

 Table 2146. PUT /staged_config/yara_rules request body details
MIME
Parameter Data Type Type Description Sample
file File application/ Required - The Yara File
zip rule file. Must be
properly-formed Yara
rule content, either a
TEXT file, or a TEXT
file within a ZIP or
TAR.GZ archive. Must
be provided with MIME
type text/plain,
application/zip,
application/x-gzip or
multipart/form-data

Table 2147. PUT /staged_config/yara_rules response codes

HTTP Response
Code Unique Code Description
200 The supplied Yara rule file was uploaded.
422 1101 Must be a correctly-formatted Yara rule file.
422 1103 The archive file must only contain a single Yara rule
file.
422 1107 Invalid archive file was provided.
500 1104 Failed to extract the contents of the archive file.
500 1105 Yara validator script was terminated owing to
timeout.
500 1106 Yara validator script encountered an unknown
exception.

Response Description

In case of an error, the method returns an exception.

Response Sample

System endpoints
Use the references for REST API V7 system endpoints.

GET /system/information/locales
Retrieves a list of locales from the system, with the option to include samples.

Retrieves a list of locales from the system, with the option to include samples.
Table 2148. GET /system/information/locales resource details
MIME Type
application/json

1078 QRadar API Reference Guide

Table 2149. GET /system/information/locales request parameter details
Parameter Type Optionality Data Type MIME Type Description
sample_type query Optional String text/plain Optional - type of
samples for the locale.
Currently the only
supported option is
NUMBER.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements that
are returned in the list to
a specified range. The list
is indexed starting at
zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in a
list base on the contents
of various fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2150. GET /system/information/locales response codes

HTTP Response
Code Unique Code Description
200 The requested list of locales was retrieved.
500 1020 An error occurred during the attempt to retrieve the
list of locales.

Response Description

A list of locales. A locale contains the following fields:

v id - String - The tag of the locale.
v label - String - The name of the locale.
v sample - String - The optional sample for the locale.

Response Sample
[
{
"id": "sq",
"label": "Albanian",
"sample": "1 234 567,89"
},
{
"id": "sq-AL",
"label": "Albanian (Albania)",
"sample": "1 234 567,89"
},
{

Chapter 7. Previous REST API versions 1079

 "id": "ar",
"label": "Arabic",
"sample": "}"
},
{
"id": "ar-DZ",
"label": "Arabic (Algeria)",
"sample": "1.234.567,89"
},
{
"id": "ar-BH",
"label": "Arabic (Bahrain)",
"sample": "}"
}
]

GET /system/servers
Retrieve a list of all server hosts in the deployment.
Table 2151. GET /system/servers resource details
MIME Type
application/json

Table 2152. GET /system/servers request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2153. GET /system/servers response codes

HTTP Response
Code Unique Code Description
200 The requested list of server records has been
successfully retrieved.

1080 QRadar API Reference Guide

Table 2153. GET /system/servers response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error has occurred while trying to retrieve the
requested servers.

Response Description

A list of the servers. A server record contains the following fields:

v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
[
{
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}
]

GET /system/servers/{server_id}
Retrieve a server host based on the supplied server ID.
Table 2154. GET /system/servers/{server_id} resource details
MIME Type
application/json

Table 2155. GET /system/servers/{server_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2156. GET /system/servers/{server_id} response codes

HTTP Response
Code Unique Code Description
200 The requested server record has been retrieved.

Chapter 7. Previous REST API versions 1081

 Table 2156. GET /system/servers/{server_id} response codes (continued)
HTTP Response
Code Unique Code Description
404 1002 The requested server record with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the
requested server host with the given Id.

Response Description

A server record containing the following fields:

v email_server_address - String - email server address
v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
{
"email_server_address": "String",
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}

POST /system/servers/{server_id}
Updates an existing server.
Table 2157. POST /system/servers/{server_id} resource details
MIME Type
application/json

Table 2158. POST /system/servers/{server_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.

1082 QRadar API Reference Guide

Table 2159. POST /system/servers/{server_id} request body details
Parameter Data Type MIME Type Description Sample
details Object application/json Required - A server {
details record "email_server_address":
containing the "String" }
following field:

email_server_address -
String - email server
address. Must be a
valid server address
that the server can
connect to through port
25.

Table 2160. POST /system/servers/{server_id} response codes

HTTP Response
Code Unique Code Description
200 The server record has been updated.
404 1002 The requested server record with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
422 1006 Cannot connect to the mail server address on port
25.
500 1020 An error has occurred while trying to retrieve the
requested server host with the given Id.

Response Description

The updated server record containing the following fields:

v email_server_address - String - email server address.
v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
{
"email_server_address": "String",
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}

GET /system/servers/{server_id}/firewall_rules
Retrieve a list of access control firewall rules based on the supplied server ID.
Table 2161. GET /system/servers/{server_id}/firewall_rules resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1083

 Table 2162. GET /system/servers/{server_id}/firewall_rules request parameter details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2163. GET /system/servers/{server_id}/firewall_rules response codes

HTTP Response
Code Unique Code Description
200 The rules records have been retrieved.
404 1002 The requested server with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the
requested access control firewall rules on the server
with the given Id.

Response Description

A list of the rules. Each rule record contains the following fields:
v is_any_source_ip - Boolean - Whether any source IP is accepted
v port_range - String - A port range in the format of start-end
v port_type - String - one of: ANY, SINGLE, RANGE
v protocol - String - one of: ANY, TCP, UDP
v single_port - String - A single port
v source_ip - String - A specific IP address

1084 QRadar API Reference Guide

Response Sample
[
{
"is_any_source_ip": true,
"port_range": "String",
"port_type": "String <one of: ANY, SINGLE, RANGE>",
"protocol": "String <one of: ANY, TCP, UDP>",
"single_port": "String",
"source_ip": "String"
}
]

PUT /system/servers/{server_id}/firewall_rules
Set the access control firewall rules based on the supplied server ID.
Table 2164. PUT /system/servers/{server_id}/firewall_rules resource details
MIME Type
application/json

Table 2165. PUT /system/servers/{server_id}/firewall_rules request parameter details

MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.

Table 2166. PUT /system/servers/{server_id}/firewall_rules request body details

Parameter Data Type MIME Type Description Sample
rules Array<Object> application/json Required - A list of new [ { "is_any_source_ip":
rules in a JSON string. true, "port_range":
Each rule record "String", "port_type":
contains the following "String <one of: ANY,
field: SINGLE, RANGE>",
v is_any_source_ip - "protocol": "String <one
Boolean - Whether of: ANY, TCP, UDP>",
"single_port": "String",
any source IP is
"source_ip": "String" } ]
accepted
v port_range - String -
A port range in the
format of start-end
v port_type - String -
one of: ANY,
SINGLE, RANGE
v protocol - String -
one of: ANY, TCP,
UDP
v single_port - String -
A single port
v source_ip - String - A
specific IP address.

Table 2167. PUT /system/servers/{server_id}/firewall_rules response codes

HTTP Response
Code Unique Code Description
200 The rules have been updated.
404 1002 The requested server with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.

Chapter 7. Previous REST API versions 1085

 Table 2167. PUT /system/servers/{server_id}/firewall_rules response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error has occurred while trying to set the access
control firewall rules on the server with the given Id.

Response Description

A list of the rules in a JSON string. Each rule contains the following fields:
v is_any_source_ip - Boolean - Whether any source IP is accepted
v port_range - String - A port range in the format of start-end
v port_type - String - one of: ANY, SINGLE, RANGE
v protocol - String - one of: ANY, TCP, UDP
v single_port - String - A single port
v source_ip - String - A specific IP address

Response Sample
[
{
"is_any_source_ip": true,
"port_range": "String",
"port_type": "String <one of: ANY, SINGLE, RANGE>",
"protocol": "String <one of: ANY, TCP, UDP>",
"single_port": "String",
"source_ip": "String"
}
]

GET /system/servers/{server_id}/network_interfaces/bonded
Retrieves a list of the bonded network interfaces based on the supplied server ID.
Table 2168. GET /system/servers/{server_id}/network_interfaces/bonded resource details
MIME Type
application/json

Table 2169. GET /system/servers/{server_id}/network_interfaces/bonded request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

1086 QRadar API Reference Guide

Table 2169. GET /system/servers/{server_id}/network_interfaces/bonded request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2170. GET /system/servers/{server_id}/network_interfaces/bonded response codes

HTTP Response
Code Unique Code Description
200 A list of the bonded network interfaces were
retrieved.
404 1002 The requested server with the given server ID
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to retrieve the
bonded interfaces on the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

A list of the bonded network interfaces. Each record contains the following fields:
v device_name - String - The name of the network interface.
v desc - String - The description of the network interface.
v role - String - The role of the network interface. One of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address configured on the network
interface. One of: ipv4, ipv6.
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured?
v is_cable_linked - String - Is the network interface cable linked? One of: YES,
NO, UNKNOWN
v is_moving_config_with_active_ha - Boolean - Will apply the same settings to a
new active HA server during failover.
v hacrossover_params - String - A map of key-value pairs of HA crossover
parameters if the network interface is used for HA crossover.
v bonding_opts - String - The bonding options that are configured on the bonded
network interface.

Chapter 7. Previous REST API versions 1087

 v slaves - List - The slaves of the bonded network interface. Each slave record
contains the follow fields:
device_name - String - The name of the slave interface.
desc - String - The description of the slave interface.
role - String - The role of the slave interface. One of: slave, slave_disabled
is_cable_linked - String - Is the slave interface cable linked. One of: true,
false, unknown

Response Sample
[
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",
"device_name": "String",
"is_cable_linked": "String <one of: true,
false,
unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}
]

POST /system/servers/{server_id}/network_interfaces/bonded
Creates a new bonded network interface.
Table 2171. POST /system/servers/{server_id}/network_interfaces/bonded resource details
MIME Type
application/json

1088 QRadar API Reference Guide

Table 2172. POST /system/servers/{server_id}/network_interfaces/bonded request
parameter details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The ID of
(Integer) the server.

Table 2173. POST /system/servers/{server_id}/network_interfaces/bonded request body

details
Parameter Data Type MIME Type Description Sample
details Object application/ Required - The details of the { "bonding_opts": "String", "ip": "String",
json bonded network interface that "ipversion": "String <one of: ipv4, ipv6>",
contains the following fields: "is_auto_ip": true,
"is_moving_config_with_active_ha": true,
v role - String - The role of the
"mask": "String", "role": "String <one of: regular,
network interface. One of:
management, hacrossover,
regular, monitor, disabled. hacrossover_disabled, monitor, disabled, slave,
v ipversion - String - The slave_disabled>", "slaves": [ { "device_name":
verson of the IP address that "String" } ] }
is configured on the network
interface. One of: ipv4, ipv6.
v ip - String - The IP address
that is configured on the
network interface. This
parameter is required when
ipversion is ipv4 or
(ipversion is ipv6 and
is_auto_ip is false). The
subnet that is computed from
the IP address and the mask
must not be the same subnet
that is configured on the
management interface.
v mask - String - The netmask
that is configured on the
network interface. This
parameter is equired when
ipversion is ipv4. The subnet
that is computed from the ip
and the mask must not be
the same subnet that is
configured on the
management interface.
v is_auto_ip - Boolean - Is the
address auto-configured?
Required.
v is_moving_config
_with_active_ha - Boolean -
Applies the same settings to
a new active HA server
during failover. This
parameter can be true only
when the server host is an
active HA server host.
v bonding_opts - String - The
bonding options that are
configured on the bonded
network interface.

Table 2174. POST /system/servers/{server_id}/network_interfaces/bonded response codes

HTTP Response
Code Unique Code Description
201 The bonded network interface was created.
404 1002 The requested server with the given server_id
cannot be found.
409 1004 The ip address has been used by another network
interface.
422 1005 One or more parameters are invalid in request.

Chapter 7. Previous REST API versions 1089

 Table 2174. POST /system/servers/{server_id}/network_interfaces/bonded response
codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred while trying to create the bonded
interface on the server with the given ID.
500 1022 Timeout while performing the task.

Response Description

The created bonded network interface that contains the following fields:
v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the
network interface. One of: ipv4, ipv6.
v ip - String - The Ip address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the Ip address auto-configured?
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a
new active HA server during failover.
v bonding_opts - String - The bonding options that are configured on the bonded
network interface.
v slaves - Array - The slave ethernet interfaces of the bonded interface. Each slave
interface has one field: device_name. The device_name must be an existing
ethernet interface that cannot be the management interface, the HA crossover
interface or a slave interface of another bonded network interface. The array
must contain at least one ethernet interface.

Response Sample
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4, ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",

1090 QRadar API Reference Guide

 "device_name": "String",
"is_cable_linked": "String <one of: true, false, unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}

POST /system/servers/{server_id}/network_interfaces/bonded/
{device_name}
Updates an existing bonded network interface.
Table 2175. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}
resource details
MIME Type
application/json

Table 2176. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}

request parameter details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The ID of
(Integer) the server.
device_name path Required String text/plain Required - The name
of an existing bonded
network interface.
The interface cannot
be the management
interface or HA
crossover interface.
The interface must be
cable linked.

Chapter 7. Previous REST API versions 1091

 Table 2177. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}
request body details
Parameter Data Type MIME Type Description Sample
details Object application/ Required - The details of the { "bonding_opts": "String", "ip": "String",
json bonded network interface that "ipversion": "String <one of: ipv4, ipv6>",
contains the following fields: "is_auto_ip": true,
"is_moving_config_with_active_ha": true,
v role - String - The role of the
"mask": "String", "role": "String <one of: regular,
network interface. One of:
management, hacrossover,
regular, monitor, disabled hacrossover_disabled, monitor, disabled, slave,
v ipversion - String - The slave_disabled>", "slaves": [ { "device_name":
verson of the IP address that "String" } ] }
is configured on the network
interface. one of: ipv4, ipv6.
v ip - String - The IP address
that is configured on the
network interface. This
parameter is required when
ipversion is ipv4 or
(ipversion is ipv6 and
is_auto_ip is false). The
subnet that is computed from
the IP address and the mask
must not be the same subnet
that is configured on the
management interface.
v mask - String - The netmask
that is configured on the
network interface. This
parameter is equired when
ipversion is ipv4. The subnet
that is computed from the IP
address and the mask must
not be the same subnet that
is configured on the
management interface.
v is_auto_ip - Boolean - Is the
IP address auto-configured?
Required.
v is_moving_config
_with_active_ha - Boolean -
Applies the same settings to
a new active HA server
during failover. This
parameter can be true only
when the server host is an
active HA server host
v slaves - Array - The slave
ethernet interfaces of the
bonded interface. Each slave
interface has one field:
device_name. The
device_name must be an
existing ethernet interface
wthat cannot be the
management interface, the
HA crossover interface, or a
slave interface of another
bonded network interface. If
slaves are not null, the slaves
in this array will override the
existing slaves of the bonded
interface. When not null, the
array must contain at least
one ethernet interface. If null,
the endpoint does not change
the existing slave interfaces.
v bonding_opts - String - The
bonding options that are
configured on the bonded
network interface

1092 QRadar API Reference Guide

Table 2178. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}
response codes
HTTP Response
Code Unique Code Description
200 The bonded network interface was updated.
404 1002 The requested server with the given server ID
cannot be found.
409 1004 The ip address has been used by another network
interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to update the
specified bonded interfaces on the server with the
given ID.
500 1022 Timeout while performing the task.

Response Description

The updated bonded network interface that contains the following fields:
v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the
network interface. one of: ipv4, ipv6
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured?
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a
new active HA server during failover.
v bonding_opts - String - The bonding options that are configured on the bonded
network interface.
v slaves - Array - The slave ethernet interfaces of the bonded interface. Each slave
interface has two fields: device_name and role. The role is slave or
slave_disabled.

Response Sample
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,

Chapter 7. Previous REST API versions 1093

 hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",
"device_name": "String",
"is_cable_linked": "String <one of: true,
false,
unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}

DELETE /system/servers/{server_id}/network_interfaces/bonded/
{device_name}
Removes a bonded network interface.
Table 2179. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name}
resource details
MIME Type
text/plain

Table 2180. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name}

request parameter details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The ID of
(Integer) the server.
device_name path Required String text/plain Required - The
device name of the
bonded network
interface.

Table 2181. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name}

response codes
HTTP Response
Code Unique Code Description
200 The bonded network interface was removed.
404 1002 The requested server with the given server ID or the
bonded network interface cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to remove the
bonded interface on the server with the given ID.
500 1022 Timeout while performing the task.

1094 QRadar API Reference Guide

Response Description

Response Sample

GET /system/servers/{server_id}/network_interfaces/ethernet
Retrieves a list of the ethernet network interfaces based on the supplied server ID.
Table 2182. GET /system/servers/{server_id}/network_interfaces/ethernet resource details
MIME Type
application/json

Table 2183. GET /system/servers/{server_id}/network_interfaces/ethernet request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2184. GET /system/servers/{server_id}/network_interfaces/ethernet response codes

HTTP Response
Code Unique Code Description
200 A list of the ethernet network interfaces were
retrieved.
404 1002 The requested server with the given server ID
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to retrieve the
ethernet interfaces on the server with the given ID.
500 1022 Timeout while performing the task.

Chapter 7. Previous REST API versions 1095

 Response Description

A list of the ethernet network interfaces. Each ethernet network interface contains
the following fields:
v device_name - String - The name of the network interface.
v desc - String - The description of the network interface.
v role - String - The role of the network interface. One of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the
network interface. One of: ipv4, ipv6.
v ip - String - The IP that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface
v is_auto_ip - Boolean - Is the IP auto-configured?
v is_cable_linked - String - Is the network interface cable linked? One of: true,
false, unknown.
v is_moving_config_with_active_ha - Boolean -Applies the same settings to a new
active HA server during failover.
v hacrossover_params - String - A map of key-value pairs of HA crossover
parameters if the network interface is used for HA crossover.

Response Sample
[
{
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]

POST /system/servers/{server_id}/network_interfaces/ethernet/
{device_name}
Updates an ethernet network interface based on the suppied server_Id and
device_name.
Table 2185. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}
resource details
MIME Type
application/json

1096 QRadar API Reference Guide

Table 2186. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}
request parameter details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The ID of
(Integer) the server.
device_name path Required String text/plain Required - The name
of an existing
ethernet network
interface. The
interface cannot be
the management
interface, HA
crossover interface or
a slave of a bonded
interface. The
interface must be
cable linked.

Table 2187. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}

request body details
Parameter Data Type MIME Type Description Sample
details Object application/ Required - An ethernet network { "ip": "String", "ipversion": "String <one of:
json interface record containing the ipv4, ipv6>", "is_auto_ip": true,
following fields: "is_moving_config_with_active_ha": true,
v role - String - The role of the "mask": "String", "role": "String <one of: regular,
management, hacrossover,
network interface. One of:
hacrossover_disabled, monitor, disabled, slave,
regular, monitor, disabled. slave_disabled>" }
v ipversion - String - The
verson of the IP address that
is configured on the network
interface. One of: ipv4, ipv6.
v ip - String - The IP address
that is configured on the
network interface. Required
when ipversion is ipv4 or
(ipversion is ipv6 and
is_auto_ip is false). The
subnet that is computed from
the IP address and the mask
must not be the same subnet
that is configured on the
management interface.
v mask - String - The netmask
that is configured on the
network interface. This
parameter is required when
ipversion is ipv4. The subnet
that is computed from the IP
address and the mask must
not be the same subnet that
is configured on the
management interface.
v is_auto_ip - Boolean - Is the
IP auto-configured. Required.
v is_moving_config
_with_active_ha - Boolean -
Applies the same settings to
a new active HA server
during failover. This
parameter can be true only
when the server host is an
active HA server host.

Chapter 7. Previous REST API versions 1097

 Table 2188. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}
response codes
HTTP Response
Code Unique Code Description
200 The network interface has been updated.
404 1002 The requested server with the given server ID
cannot be found.
409 1004 The ip address has been used by another network
interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to update the
specified ethernet interfaces on the server with the
given ID.
500 1022 Timeout while performing the task.

Response Description

The updated ethernet network interface containing the following fields:

v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the that is IP address that is configured on the
network interface. One of: ipv4, ipv6.
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured.
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a
new active HA server during failover.

Response Sample
{
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}

1098 QRadar API Reference Guide

REST API V6.0 References
Each API reference provides information about the parameters, mime type,
stability, and responses for each endpoint.

Analytics endpoints
Use the references for REST API V6.0 analytics endpoints.

GET /analytics/custom_actions/actions DEPRECATED

Retrieves a list of available custom actions.
Table 2189. GET /analytics/custom_actions/actions resource details
MIME Type
application/json

Table 2190. GET /analytics/custom_actions/actions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2191. GET /analytics/custom_actions/actions response codes

HTTP Response
Code Unique Code Description
200 The requested list of custom actions have been
successfully retrieved.
500 1020 An internal server error occurred while retrieving
custom actions.

Chapter 7. Previous REST API versions 1099

 Response Description

Array of available custom actions which in turn contain the following fields:
v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
[
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}
]

POST /analytics/custom_actions/actions DEPRECATED

Creates a new custom action with the supplied fields.

The custom action must contain the following fields:

v name - Required - String - Unique name of the custom action within the QRadar
deployment.
v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter
used by the custom action.
v script - Required - Number - Unique ID of the custom action script used by the
custom action.
v parameters - Required - Array - Array of custom action parameters contained
within the custom action. Each Custom action parameter must have the
following fields:

1100 QRadar API Reference Guide

 name - Required - String - Name of the custom action parameter. Unique in
the context of the parent custom action.
parameter_type - Required - String - Custom action parameter type. Can be
either fixed or dynamic.
encrypted - Required - Boolean - Designates whether the custom action
parameter value field is stored in an encrypted state.True if encrypted, false
otherwise.
value - Required - String - Value of the custom action parameter. Custom
action parameters with parameter_type fixed can have any value. Custom
action parameters with parameter_type dynamic must have values
corresponding to column names in an Ariel database, for example sourceip.
Ariel database column names are available through the /api/ariel/databases/
{database_name} endpoint.
Table 2192. POST /analytics/custom_actions/actions resource details
MIME Type
application/json

Table 2193. POST /analytics/custom_actions/actions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2194. POST /analytics/custom_actions/actions request body details

Parameter Data Type MIME Type Description Sample
custom_action Object application/json Custom action JSON { "description":
object containing the "String", "interpreter":
supplied fields (see 42, "name": "String",
above for more "parameters": [ {
details). "encrypted": true,
"name": "String",
"parameter_type":
"String", "value":
"String" } ], "script": 42
}

Table 2195. POST /analytics/custom_actions/actions response codes

HTTP Response
Code Unique Code Description
201 A new custom action has been successfully created.
422 1005 One or more parameters are invalid in request.
500 1020 An internal server error occurred while posting
custom action.

Chapter 7. Previous REST API versions 1101

 Response Description

The newly created custom action with the following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

GET /analytics/custom_actions/actions/{action_id} DEPRECATED

Retrieves a custom action based on the supplied action_id.
Table 2196. GET /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

Table 2197. GET /analytics/custom_actions/actions/{action_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
action_id path Required Number text/plain Long id of the custom
(Integer) action to be retrieved.

1102 QRadar API Reference Guide

Table 2197. GET /analytics/custom_actions/actions/{action_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2198. GET /analytics/custom_actions/actions/{action_id} response codes

HTTP Response
Code Unique Code Description
200 The requested custom action has been successfully
retrieved.
404 1002 The requested custom action could not be found.
500 1020 An internal server error occurred while retrieving
custom action with supplied action_id.

Response Description

A custom action with containing following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",

Chapter 7. Previous REST API versions 1103

 "parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

POST /analytics/custom_actions/actions/{action_id}
DEPRECATED
Updates an existing custom action.

The custom action must contain the following fields:

v id - Required - Number - Unique ID of the custom action within the QRadar
deployment.
v name - Optional - String - Unique name of the custom action within the QRadar
deployment.
v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter
used by the custom action.
v script - Required - Number - Unique ID of the custom action script used by the
custom action.
v parameters - Required - Array - Array of custom action parameters contained
within the custom action. Each Custom action parameter must have the
following fields:
name - Required - String - Name of the custom action parameter. Unique in
the context of the parent custom action.
parameter_type - Optional - String - Custom action parameter type. Can be
either fixed or dynamic.
encrypted - Optional - Boolean - Designates whether the custom action
parameter value field is stored in an encrypted state.True if encrypted, false
otherwise.
value - Optional - String - Value of the custom action parameter. Custom
action parameters with parameter_type fixed can have any value. Custom
action parameters with parameter_type dynamic must have values
corresponding to column names in an Ariel database, for example sourceip.
Ariel database column names are available through the /api/ariel/databases/
{database_name} endpoint.
Table 2199. POST /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

Table 2200. POST /analytics/custom_actions/actions/{action_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
action_id path Required Number text/plain Number id of the
(Integer) custom action to be
updated.

1104 QRadar API Reference Guide

Table 2200. POST /analytics/custom_actions/actions/{action_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2201. POST /analytics/custom_actions/actions/{action_id} request body details

Parameter Data Type MIME Type Description Sample
custom_action Object application/json Custom action JSON { "description":
object which can "String", "id": 42,
contain the supplied "interpreter": 42,
fields (see above for "name": "String",
more details). "parameters": [ {
"encrypted": true,
"name": "String",
"parameter_type":
"String", "value":
"String" } ], "script": 42
}

Table 2202. POST /analytics/custom_actions/actions/{action_id} response codes

HTTP Response
Code Unique Code Description
200 The custom action has been updated.
404 1002 The requested custom action could not be found.
422 1005 One or more parameters are invalid in request.
500 1020 An internal server error occurred while updating
custom action with supplied action_id.

Response Description

The updated custom action with the following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:

Chapter 7. Previous REST API versions 1105

 name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

DELETE /analytics/custom_actions/actions/{action_id}
DEPRECATED
Deletes an existing custom action.
Table 2203. DELETE /analytics/custom_actions/actions/{action_id} resource details
MIME Type
text/plain

Table 2204. DELETE /analytics/custom_actions/actions/{action_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
action_id path Required Number text/plain Number id of the
(Integer) custom action you wish
to delete.

Table 2205. DELETE /analytics/custom_actions/actions/{action_id} response codes

HTTP Response
Code Unique Code Description
204 The custom action has been deleted.
404 1002 The requested custom action could not be found.
500 1020 An internal server error occurred while deleting
custom action with supplied action_id.

Response Description

Empty response with 204 successful response code.

1106 QRadar API Reference Guide

Response Sample

GET /analytics/custom_actions/interpreters DEPRECATED

Retrieves a list of available custom action interpreters.
Table 2206. GET /analytics/custom_actions/interpreters resource details
MIME Type
application/json

Table 2207. GET /analytics/custom_actions/interpreters request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2208. GET /analytics/custom_actions/interpreters response codes

HTTP Response
Code Unique Code Description
200 The requested list of custom action interpreters have
been retrieved.
500 1020 An internal server error occurred while retrieving
available custom action interpreters.

Response Description

Array of available custom action interpreters, each with the following fields:
v id - Number - Unique ID of the custom action interpreter within the QRadar
deployment.
v name - String - Name of the custom action interpreter.

Chapter 7. Previous REST API versions 1107

 Response Sample
[
{
"id": 42,
"name": "String"
}
]

GET /analytics/custom_actions/interpreters/{interpreter_id}
DEPRECATED
Retrieves a custom action interpreter based on supplied interpreter ID.
Table 2209. GET /analytics/custom_actions/interpreters/{interpreter_id} resource details
MIME Type
application/json

Table 2210. GET /analytics/custom_actions/interpreters/{interpreter_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
interpreter_id path Required Number text/plain Number id of custom
(Integer) action interpreter to be
retrieved.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2211. GET /analytics/custom_actions/interpreters/{interpreter_id} response codes

HTTP Response
Code Unique Code Description
200 - The requested custom action interpreter has been
retrieved.
404 1002 The requested custom action interpreter could not be
found.
500 1020 An internal server error occurred while retrieving
custom action interpreter with supplied
interpreter_id.

Response Description

A custom action interpreter with the following fields:

v id - Number - Unique ID of the custom action interpreter within the QRadar
deployment.
v name - String - Name of the custom action interpreter.

1108 QRadar API Reference Guide

Response Sample
{
"id": 42,
"name": "String"
}

GET /analytics/custom_actions/scripts DEPRECATED

Retrieves a list of meta-data for available custom action script files.
Table 2212. GET /analytics/custom_actions/scripts resource details
MIME Type
application/json

Table 2213. GET /analytics/custom_actions/scripts request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2214. GET /analytics/custom_actions/scripts response codes

HTTP Response
Code Unique Code Description
200 The requested custom action script file has been
retrieved.
500 1020 An internal server error occurred while retrieving
available custom action script file meta-data.

Response Description

Array of available custom action script file meta-data, each with the following
fields:

Chapter 7. Previous REST API versions 1109

 v id - Number - Unique ID of the custom action script file within the QRadar
deployment.
v name - String - Name of the custom action script file.

Response Sample
[
{
"file_name": "String",
"id": 42
}
]

POST /analytics/custom_actions/scripts DEPRECATED

Creates a new custom action script file. Newly created custom action script files
require a deployment before using.

Newly created custom action script files require a deployment before use. You can
include an optional HTTP header file_name that contains the custom action script
file name. If not specified, the custom action script file name defaults to the script
ID of the uploaded file.
Table 2215. POST /analytics/custom_actions/scripts resource details
MIME Type
application/json

Table 2216. POST /analytics/custom_actions/scripts request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2217. POST /analytics/custom_actions/scripts request body details

Parameter Data Type MIME Type Description Sample
file File application/octet- Required. The custom File
stream action script file. Must
be supplied with MIME
type
application/octet-stream.

Table 2218. POST /analytics/custom_actions/scripts response codes

HTTP Response
Code Unique Code Description
201 A custom action script file has been created.
500 1020 An internal server error occurred while posting
custom action script file.

1110 QRadar API Reference Guide

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script within the QRadar
deployment.
v name - String - Name of the custom action script.

Response Sample
{
"file_name": "String",
"id": 42
}

GET /analytics/custom_actions/scripts/{script_id} DEPRECATED

Retrieves meta-data of a custom action script file based on supplied script_id.
Table 2219. GET /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Table 2220. GET /analytics/custom_actions/scripts/{script_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
script_id path Required Number text/plain Number id of the
(Integer) custom action script
file.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2221. GET /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response
Code Unique Code Description
200 The requested custom action script file has been
retrieved.
404 1002 The requested custom action script file could not be
found.
500 1020 An internal server error occurred while retrieving
custom action script file meta-data with supplied
script_id.

Response Description

Custom action script file meta-data with the following fields:

Chapter 7. Previous REST API versions 1111

 v id - Number - Unique ID of the custom action script file within the QRadar
deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

POST /analytics/custom_actions/scripts/{script_id} DEPRECATED

Updates an existing custom action script file. Updated custom action script files
require a deployment before using.

Updated custom action script files require a deployment before use. You can
include an optional HTTP header file_name containing the custom action script file
name. If not specified, the custom action script file name defaults to the script ID
of the uploaded file.
Table 2222. POST /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Table 2223. POST /analytics/custom_actions/scripts/{script_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
script_id path Required Number text/plain Number id of the
(Integer) custom action script file
to be updated.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2224. POST /analytics/custom_actions/scripts/{script_id} request body details

Parameter Data Type MIME Type Description Sample
file File application/octet- Required. The custom File
stream action script file. Must
be supplied with MIME
type
application/octet-stream.

Table 2225. POST /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response
Code Unique Code Description
200 The custom action script file has been updated.

1112 QRadar API Reference Guide

Table 2225. POST /analytics/custom_actions/scripts/{script_id} response codes (continued)
HTTP Response
Code Unique Code Description
404 1002 The requested custom action script file could not be
found.
500 1020 An internal server error occurred while updating
custom action script file with supplied script_id.

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script file within the QRadar
deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

DELETE /analytics/custom_actions/scripts/{script_id}
DEPRECATED
Deletes an existing custom action script file.
Table 2226. DELETE /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
text/plain

Table 2227. DELETE /analytics/custom_actions/scripts/{script_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
script_id path Required Number text/plain Number id of the
(Integer) custom action script file
to be deleted.

Table 2228. DELETE /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response
Code Unique Code Description
204 The custom action script file has been deleted.
404 1002 The requested custom action script file could not be
found.
422 1005 The requested custom action script file is tied to an
existing custom action.
500 1020 An internal server error occurred while deleting
custom action script file with supplied script_id.

Response Description

Empty response with a 204 successful response code.

Chapter 7. Previous REST API versions 1113

 Response Sample

Ariel endpoints
Use the references for REST API V6.0 Ariel endpoints.

GET /ariel/databases DEPRECATED

Retrieve Ariel database names

Retrieve a list of available Ariel databases.

Table 2229. GET /ariel/databases resource details
MIME Type
application/json

Table 2230. GET /ariel/databases request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2231. GET /ariel/databases response codes

HTTP Response
Code Unique Code Description
200 The database list was retrieved.
500 1020 An error occurred while attempting to retrieve the
list of Ariel databases.

Response Description

The names of the available Ariel databases.

Response Sample
[
"String"
]

GET /ariel/databases/{database_name} DEPRECATED

Retrieve the columns defined for a specific Ariel database.

This is the set of columns that can be explicitly named in the column list of a
SELECT query.

1114 QRadar API Reference Guide

Table 2232. GET /ariel/databases/{database_name} resource details
MIME Type
application/json

Table 2233. GET /ariel/databases/{database_name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
database_name path Required String text/plain Required. The name of
the Ariel database that
contains the columns
that you want to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements that
are returned in the list to
a specified range. The
list is indexed starting at
zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in a
list base on the contents
of various fields.

Table 2234. GET /ariel/databases/{database_name} response codes

HTTP Response
Code Unique Code Description
200 The database columns were retrieved.
404 1002 The database does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
database columns.

Response Description

A list of columns that are defined for the specified database. Multiple properties of
each column are returned. For example, the column name or an indication that the
column is indexable.

Response Sample
{
"columns": [
{
"argument_type": "String",
"indexable": true,

Chapter 7. Previous REST API versions 1115

 "name": "String"
}
]
}

GET /ariel/searches DEPRECATED

Retrieve Ariel search_ids.

Retrieve the list of Ariel searches. This includes search_ids for completed and
active searches.
Table 2235. GET /ariel/searches resource details
MIME Type
application/json

Table 2236. GET /ariel/searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2237. GET /ariel/searches response codes

HTTP Response
Code Unique Code Description
200 The search list was retrieved.
500 1020 An error occurred while attempting to retrieve the
list of searches.

Response Description

A list of search IDs.

Response Sample
[
"String"
]

POST /ariel/searches DEPRECATED

Create a new asynchronous Ariel search

Creates a new Ariel search as specified by the Ariel Query Language (AQL) query
expression. Searches are executed asynchronously. A reference to the search_id is

1116 QRadar API Reference Guide

returned and should be used in subsequent API calls to determine the status of the
search and retrieve the results once it is complete.

This endpoint only accepts SELECT and RUN query expressions.

Queries are applied to the range of data in a certain time interval. By default this
time interval is the last 60 seconds. An alternative time interval can be specified by
specifying them as part of the query expression. For further information, see the
AQL reference.
Table 2238. POST /ariel/searches resource details
MIME Type
application/json

Table 2239. POST /ariel/searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
query_expression query Required String text/plain Required - The AQL
query to execute.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2240. POST /ariel/searches response codes

HTTP Response
Code Unique Code Description
201 A new Ariel search was successfully created.
409 1004 The search could not be created, the requested
search ID provided in the query_expression is
already in use. Please use a unique search ID (or
allow one to be generated).
422 2000 The query_expression contains invalid AQL syntax.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to create a new
search.

Response Description

Information about the specified search, including the search_id. Use the search_id
to access or manipulate the search with the other API endpoints.

If the exact search being created was already recently created, the response
message will return a reference to the original search_id rather than creating a new
search.

Chapter 7. Previous REST API versions 1117

 Response Sample
{
"compressed_data_file_count": 42,
"compressed_data_total_size": 42,
"cursor_id": "String",
"data_file_count": 42,
"data_total_size": 42,
"desired_retention_time_msec": 42,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"index_file_count": 42,
"index_total_size": 42,
"processed_record_count": 42,
"progress": 42,
"query_execution_time": 42,
"record_count": 42,
"save_results": true,
"search_id": "String",
"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>"
}

GET /ariel/searches/{search_id} DEPRECATED

Retrieve information about an Ariel search

Retrieve status information for a search, based on the search_id parameter. The
same informational fields are returned regardless of whether the search is in
progress or is complete.
Table 2241. GET /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 2242. GET /ariel/searches/{search_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain Required. The identifier
for an Ariel search.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

1118 QRadar API Reference Guide

Table 2243. GET /ariel/searches/{search_id} response codes
HTTP Response
Code Unique Code Description
200 The search information was retrieved.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
search information.

Response Description

Information about the specified search, including the search status.

Response Sample
{
"compressed_data_file_count": 42,
"compressed_data_total_size": 42,
"cursor_id": "String",
"data_file_count": 42,
"data_total_size": 42,
"desired_retention_time_msec": 42,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"index_file_count": 42,
"index_total_size": 42,
"processed_record_count": 42,
"progress": 42,
"query_execution_time": 42,
"record_count": 42,
"save_results": true,
"search_id": "String",
"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>"
}

POST /ariel/searches/{search_id} DEPRECATED

Update an Ariel search.

Update details for an Ariel search. You can update searches in the following ways:
v To cancel an active search, set the status parameter to CANCELED. This stops
the search and keeps any search results that were collected before the search was
canceled.
v The results for a completed search can be saved by setting the save_results
parameter to true. This ensures that the search is not automatically removed
when it expires in accordance with the retention policy.

The Ariel server uses an internal retention policy to manage available disk space.
Searches might be deleted automatically, according to the settings of the retention

Chapter 7. Previous REST API versions 1119

 policy. Searches with saved results are not automatically reclaimed by the server
and are therefore retained. A search can be explicitly deleted by using the DELETE
/searches/{search_id} endpoint.

Note: Saving too many search results might result in insufficient disk space to
process new searches.
Table 2244. POST /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 2245. POST /ariel/searches/{search_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain Required. The ID of the
search to update.
save_results query Optional String text/plain Optional. The only
accepted value is true.
If this value is
provided, the search
results will not be
deleted by the search
expiration removal
process.
status query Optional String text/plain Optional. The only
accepted value is
CANCELED. If this
value is provided, the
search will be canceled.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2246. POST /ariel/searches/{search_id} response codes

HTTP Response
Code Unique Code Description
200 The search was updated.
404 1002 The search does not exist.
409 1008 The current status of the search prevented the search
results from being saved.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to update the
search.

1120 QRadar API Reference Guide

Response Description

Information about the specified search that was updated.

Response Sample
{
"compressed_data_file_count": 42,
"compressed_data_total_size": 42,
"cursor_id": "String",
"data_file_count": 42,
"data_total_size": 42,
"desired_retention_time_msec": 42,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"index_file_count": 42,
"index_total_size": 42,
"processed_record_count": 42,
"progress": 42,
"query_execution_time": 42,
"record_count": 42,
"save_results": true,
"search_id": "String",
"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>"
}

DELETE /ariel/searches/{search_id} DEPRECATED

Delete an Ariel search

Deletes an Ariel search. This discards any results that were collected and stops the
search if it is currently processing. This search is deleted regardless of whether the
results were saved.
Table 2247. DELETE /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 2248. DELETE /ariel/searches/{search_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain Required - The
search_id of the search
to delete.

Chapter 7. Previous REST API versions 1121

 Table 2248. DELETE /ariel/searches/{search_id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2249. DELETE /ariel/searches/{search_id} response codes

HTTP Response
Code Unique Code Description
202 The delete request has been accepted.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to delete the
search.

Response Description

Information about the deleted search

Response Sample
{
"compressed_data_file_count": 42,
"compressed_data_total_size": 42,
"cursor_id": "String",
"data_file_count": 42,
"data_total_size": 42,
"desired_retention_time_msec": 42,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"index_file_count": 42,
"index_total_size": 42,
"processed_record_count": 42,
"progress": 42,
"query_execution_time": 42,
"record_count": 42,
"save_results": true,
"search_id": "String",
"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>"
}

1122 QRadar API Reference Guide

GET /ariel/searches/{search_id}/results DEPRECATED
Retrieves search results in the requested format.

Retrieve the results of the Ariel search that is identified by the search_id. The
Accepts request header indicates the format of the result. The format can be JSON,
CSV, XML, or tabular text.

By default, all query result records are returned. To restrict the results to a
contiguous subset of the records, you can supply a Range header to specify the
inclusive range of records to be returned.

This end-point works with query results that are generated by AQL query
expressions. This endpoint might not work as expected for results that are
generated by other means. Search results might not be retrievable for searches that
are created on the Console.

The response samples are for the following query: Select sourceIP, destinationIP
from events.
Table 2250. GET /ariel/searches/{search_id}/results resource details
MIME Type
application/json application/csv text/table application/xml

Table 2251. GET /ariel/searches/{search_id}/results request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain The ID of the search
criteria for the returned
results.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2252. GET /ariel/searches/{search_id}/results response codes

HTTP Response
Code Unique Code Description
200 The search results were retrieved.
404 1002 The search does not exist.
404 1003 Search results not found. The search is still in
progress.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
search results.

Chapter 7. Previous REST API versions 1123

 Response Description

The search results for the specified search_id. The format that is used to
encapsulate the data depends on the format specified in the Accept header for this
request.

Response Sample
{
"events": [
{
"sourceIP": "1.1.1.1",
"destinationIP": "127.0.0.1"
},
{
"sourceIP": "1.1.1.1",
"destinationIP": "127.0.0.1"
}
]
}

Asset model endpoints

Use the references for REST API V6.0 Asset Model endpoints.

GET /asset_model/assets DEPRECATED

List all assets found in the model.
Table 2253. GET /asset_model/assets resource details
MIME Type
application/json

Table 2254. GET /asset_model/assets request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

1124 QRadar API Reference Guide

Table 2255. GET /asset_model/assets response codes
HTTP Response
Code Unique Code Description
200 The request to retrieve assets completed successfully.
500 1020 The server encountered an error while trying to
retrieve the assets.

Response Description

List of assets retrieved using the associated asset saved search.

Response Sample
[{"id": 42,
"domain_id": 42,
"interfaces": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String",
"ip_addresses": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"network_id": 42,
"value": "String",
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"type": "String"}]
}],
"properties": [{"id": 42,
"name": "String",
"value": "String",
"last_reported": 42,
"type_id": 42,
"last_reported_by": "String"}]
}]

POST /asset_model/assets/{asset_id} DEPRECATED

Update an asset with several pertinent pieces of information.

The asset_id tag is mandatory, and is the unique identifier for an asset. This field
is available through the /asset_model/assets or /asset_model/saved_searches/
{saved_search_id}/results query. To update properties, the property type ID which
is available through the /asset_model/properties query must be provided along
with the new value. See the sample provided demonstrating an example asset
update.
Table 2256. POST /asset_model/assets/{asset_id} resource details
MIME Type
text/plain

Chapter 7. Previous REST API versions 1125

 Table 2257. POST /asset_model/assets/{asset_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
asset_id path Required String text/plain Unique identifier of the
asset to update.

Table 2258. POST /asset_model/assets/{asset_id} request body details

Parameter Data Type MIME Type Description Sample
asset JSON application/json JSON representation of { "properties": [ {
an asset. "type_id": 1001, "value":
"given name value" }, {
"type_id": 1002, "value":
"unified name value" } ]
}

Table 2259. POST /asset_model/assets/{asset_id} response codes

HTTP Response
Code Unique Code Description
202 The request to update the asset was successful. The
update will take place when the asset profile
application receives the request.
422 1005 One or more of the requested property updates were
invalid.
500 1020 The server encountered an error registering the
update with the asset profile application.

Response Description

Information about the asset that was updated.

Response Sample
String

GET /asset_model/properties DEPRECATED

Get a list of available asset property types that can be used.

Get a list of available asset property types that can be used or applied against the
/asset_model/assets endpoint.
Table 2260. GET /asset_model/properties resource details
MIME Type
application/json

1126 QRadar API Reference Guide

Table 2261. GET /asset_model/properties request parameter details
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2262. GET /asset_model/properties response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the list of asset property
types completed successfully.
500 1020 An error occurred while trying to retrieve the list of
asset property types.

Response Description

List of asset properties. Per asset property type: id and name that make up this
asset property type.

Response Sample
[
{
"custom": true,
"data_type": "String",
"display": true,
"id": 42,
"name": "String",
"state": 42
}
]

GET /asset_model/saved_searches DEPRECATED

Get a list of saved searches that can be used.

Chapter 7. Previous REST API versions 1127

 Get a list of saved searches that can be used or applied against the
/asset_model/saved_searches/{saved_search_id}/results query.
Table 2263. GET /asset_model/saved_searches resource details
MIME Type
application/json

Table 2264. GET /asset_model/saved_searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2265. GET /asset_model/saved_searches response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the list of saved searches
completed successfully.
500 1020 The server encountered an error while trying to
retrieve the list of saved searches.

Response Description

List of saved searches. Per saved search: id, name and list of filters that make up
this saved search

Response Sample
[
{
"columns": [
{
"name": "String",

1128 QRadar API Reference Guide

 "type": "String"
}
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}
]

GET /asset_model/saved_searches/{saved_search_id}/results
DEPRECATED
Retrieves a list of assets based on the results of an asset saved search.
Table 2266. GET /asset_model/saved_searches/{saved_search_id}/results resource details
MIME Type
application/json

Table 2267. GET /asset_model/saved_searches/{saved_search_id}/results request

parameter details
Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required String text/plain Unique identifier of the
saved search used to
retrieve assets.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements that
are returned in the list to
a specified range. The
list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in a
list base on the contents
of various fields.

Table 2268. GET /asset_model/saved_searches/{saved_search_id}/results response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve assets completed successfully.

Chapter 7. Previous REST API versions 1129

 Table 2268. GET /asset_model/saved_searches/{saved_search_id}/results response
codes (continued)
HTTP Response
Code Unique Code Description
422 1005 The unique identifier of the saved search provided
was invalid.
500 1003 The server encountered an error executing the saved
search.

Response Description

List of assets retrieved using the associated asset saved search.

Response Sample
[
{
"domain_id": 42,
"id": 42,
"interfaces": [
{
"created": 42,
"first_seen_profiler": 42,
"first_seen_scanner": 42,
"id": 42,
"ip_addresses": [
{
"created": 42,
"first_seen_profiler": 42,
"first_seen_scanner": 42,
"id": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"network_id": 42,
"type": "String",
"value": "String"
}
],
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String"
}
],
"properties": [
{
"id": 42,
"last_reported": 42,
"last_reported_by": "String",
"name": "String",
"type_id": 42,
"value": "String"
}
]
}
]

Authentication endpoints
Use the references for REST API V6.0 authentication endpoints.

1130 QRadar API Reference Guide

 POST /auth/logout DEPRECATED
Invoke this method as an authorized user and your session will be invalidated.
Table 2269. POST /auth/logout resource details
MIME Type
text/plain

There are no parameters for this endpoint.

Table 2270. POST /auth/logout response codes
HTTP Response
Code Unique Code Description
200 The session was invalidated.

Response Description

Returns true. Throws exception upon failure.

Response Sample
true

Configuration endpoints
Use the references for REST API V6.0 configuration endpoints.

GET /config/domain_management/domains DEPRECATED

Retrieves the list of all domains, active and deleted (including the default domain).

The list is ordered by domain ID. If domains were never configured, only the
default domain is returned.
Table 2271. GET /config/domain_management/domains resource details
MIME Type
application/json

Table 2272. GET /config/domain_management/domains request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Chapter 7. Previous REST API versions 1131

 Table 2272. GET /config/domain_management/domains request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2273. GET /config/domain_management/domains response codes

HTTP Response
Code Unique Code Description
200 The domain list has been successfully retrieved.
500 1020 An error occurred while the domain list was being
retrieved.

Response Description

The list of domain objects.

Response Sample
[
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [

1132 QRadar API Reference Guide

 42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}
]

POST /config/domain_management/domains DEPRECATED

Creates a new domain.
Table 2274. POST /config/domain_management/domains resource details
MIME Type
application/json

Table 2275. POST /config/domain_management/domains request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2276. POST /config/domain_management/domains request body details

Parameter Data Type MIME Type Description Sample
domain Object application/json A domain JSON object { "asset_scanner_ids":
(its id parameter is [42],
ignored). "custom_properties":
[{"capture_result":
"String", "id": 42}],
"deleted": true,
"description": "String",
"event_collector_ids":
[42],
"flow_collector_ids":
[42], "flow_source_ids":
[42],
"log_source_group_ids":
[42], "log_source_ids":
[42], "name": "String",
"qvm_scanner_ids":
[42], "tenant_id": 42 }

Chapter 7. Previous REST API versions 1133

 Table 2277. POST /config/domain_management/domains response codes
HTTP Response
Code Unique Code Description
201 The domain has been successfully created.
409 1004 A domain object parameter already exists.
422 1005 A domain object parameter is invalid.
500 1020 An error occurred while the domain was being
created.

Response Description

A created domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

GET /config/domain_management/domains/{domain_id}
DEPRECATED
Retrieves a domain by domain ID.
Table 2278. GET /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

1134 QRadar API Reference Guide

Table 2279. GET /config/domain_management/domains/{domain_id} request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
domain_id path Required Number text/plain The ID of the domain
(Integer) object to retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2280. GET /config/domain_management/domains/{domain_id} response codes

HTTP Response
Code Unique Code Description
200 The domain has been successfully retrieved.
404 1002 No domain was found for the provided domain id.
500 1020 An error occurred while the domain was being
retrieved.

Response Description

A domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42

Chapter 7. Previous REST API versions 1135

 ],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

POST /config/domain_management/domains/{domain_id}
DEPRECATED
Updates an existing domain.
Table 2281. POST /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 2282. POST /config/domain_management/domains/{domain_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
domain_id path Required Number text/plain The ID of the domain
(Integer) object to update.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2283. POST /config/domain_management/domains/{domain_id} request body details

Parameter Data Type MIME Type Description Sample
domain Object application/json A domain JSON object. { "asset_scanner_ids":
[42],
"custom_properties":
[{"capture_result":
"String", "id": 42}],
"deleted": true,
"description": "String",
"event_collector_ids":
[42],
"flow_collector_ids":
[42], "flow_source_ids":
[42],
"log_source_group_ids":
[42], "log_source_ids":
[42], "name": "String",
"qvm_scanner_ids":
[42], "tenant_id": 42 }

1136 QRadar API Reference Guide

Table 2284. POST /config/domain_management/domains/{domain_id} response codes
HTTP Response
Code Unique Code Description
200 The domain has been successfully updated.
404 1002 No domain was found for the provided domain id.
409 1004 A domain object parameter already exists.
422 1005 A domain object parameter is invalid.
500 1020 An error occurred while the domain was being
updated.

Response Description

The updated domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

DELETE /config/domain_management/domains/{domain_id}
DEPRECATED
Deletes a domain by domain ID.

All domain mappings are also deleted

Chapter 7. Previous REST API versions 1137

 Table 2285. DELETE /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 2286. DELETE /config/domain_management/domains/{domain_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
domain_id path Required Number text/plain The ID of the domain
(Integer) object to delete.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2287. DELETE /config/domain_management/domains/{domain_id} response codes

HTTP Response
Code Unique Code Description
200 The domain has been successfully deleted.
404 1002 No domain was found for the provided domain id.
422 1005 Default domain cannot be deleted.
500 1020 An error occurred while the domain was being
deleted.

Response Description

The deleted domain object with its parameter deleted set to true.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [

1138 QRadar API Reference Guide

 42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

GET /config/access/tenant_management/tenants DEPRECATED

Retrieve the list of all tenants ordered by tenant ID.

Retrieve the list of all tenants. The list is ordered by tenant ID.
Table 2288. GET /config/access/tenant_management/tenants resource details
MIME Type
application/json

Table 2289. GET /config/access/tenant_management/tenants request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2290. GET /config/access/tenant_management/tenants response codes

HTTP Response
Code Unique Code Description
200 The tenant list was successfully retrieved.

Chapter 7. Previous REST API versions 1139

 Table 2290. GET /config/access/tenant_management/tenants response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred while the tenant list was being
retrieved.

Response Description

a list of all the tenants

Response Sample
[
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}
]

POST /config/access/tenant_management/tenants DEPRECATED

Create a new tenant.
Table 2291. POST /config/access/tenant_management/tenants resource details
MIME Type
application/json

Table 2292. POST /config/access/tenant_management/tenants request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2293. POST /config/access/tenant_management/tenants request body details

Parameter Data Type MIME Type Description Sample
tenant Object application/json Required - Tenant - { "deleted": true,
includes name, "description": "String",
event_rate_limit (unit "event_rate_limit": 42,
eps), flow_rate_limit "flow_rate_limit": 42,
(unit fpm) and "name": "String" }
description

1140 QRadar API Reference Guide

Table 2294. POST /config/access/tenant_management/tenants response codes
HTTP Response
Code Unique Code Description
201 A new tenant was created successfully and returned
the new tenant object.
409 1004 A tenant with the given name already exists.
422 1005 A request parameter is invalid.
500 1020 Failed to create the tenant.

Response Description

a created tenant object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

GET /config/access/tenant_management/tenants/{tenant_id}
DEPRECATED
Retrieve a tenant by tenant id.
Table 2295. GET /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

Table 2296. GET /config/access/tenant_management/tenants/{tenant_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
tenant_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 1141

 Table 2297. GET /config/access/tenant_management/tenants/{tenant_id} response codes
HTTP Response
Code Unique Code Description
200 The tenant was successfully retrieved.
404 1002 No tenant was found for the provided tenant id.
500 1020 An error occurred while the tenant was being
retrieved.

Response Description

the associated tenants object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

POST /config/access/tenant_management/tenants/{tenant_id}
DEPRECATED
Update a tenant
Table 2298. POST /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

Table 2299. POST /config/access/tenant_management/tenants/{tenant_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
tenant_id path Required Number text/plain Required - Integer - the
(Integer) tenant id to modify
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

1142 QRadar API Reference Guide

Table 2300. POST /config/access/tenant_management/tenants/{tenant_id} request body
details
Parameter Data Type MIME Type Description Sample
tenant Object application/json Required - Tenant - { "deleted": true,
includes name, "description": "String",
event_rate_limit (unit "event_rate_limit": 42,
eps), flow_rate_limit "flow_rate_limit": 42,
(unit fpm) and "name": "String" }
description

Table 2301. POST /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response
Code Unique Code Description
200 A tenant profile that was updated successfully and
returned the updated tenant object.
404 1002 The tenant profile does not exist.
409 1004 A tenant with the given name already exists.
422 1005 A request parameter is invalid.
500 1020 Failed to retrieve/update the given tenant profile.

Response Description

the updated tenant object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

DELETE /config/access/tenant_management/tenants/{tenant_id}
DEPRECATED
Delete a tenant.

Deletes a tenant by tenant ID.

Table 2302. DELETE /config/access/tenant_management/tenants/{tenant_id} resource
details
MIME Type
application/json

Table 2303. DELETE /config/access/tenant_management/tenants/{tenant_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
tenant_id path Required Number text/plain Required - String - id
(Integer) associated to a tenant

Chapter 7. Previous REST API versions 1143

 Table 2304. DELETE /config/access/tenant_management/tenants/{tenant_id} response
codes
HTTP Response
Code Unique Code Description
200 The tenant was deleted successfully (soft delete).
404 1002 The tenant does not exists.
500 1020 An error occurred while deleting tenant.

Response Description

the deleted tenant object with its parameter deleted set to true

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

GET /config/extension_management/extensions DEPRECATED

Retrieve a list of extensions.
Table 2305. GET /config/extension_management/extensions resource details
MIME Type
application/json

Table 2306. GET /config/extension_management/extensions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
sort query Optional String text/plain Optional - This
parameter is used to
sort the elements in a
list.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

1144 QRadar API Reference Guide

Table 2306. GET /config/extension_management/extensions request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2307. GET /config/extension_management/extensions response codes

HTTP Response
Code Unique Code Description
200 The requested list of extensions has been retrieved.
422 22608 The supplied filter is invalid.
422 22615 Unknown status used in filter.
422 22610 The selected field cannot be utilized for sorting.
422 22609 Only top-level-elements of the root entity can be
sorted on.
500 22602 An error has occurred while trying to retrieve the
list of extensions.

Response Description

A list of extensions. Each extension contains the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this
extension.
v exported_qradar_version - String - The version of the QRadar deployment this
extension was exported from.
v min_qradar_version - String - The minimum QRadar version required for the
extension to function properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to
QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to
QRadar, represented as number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed,
represented as number of milliseconds since Unix epoch.

Chapter 7. Previous REST API versions 1145

 v full_uninstall - Boolean - True if the extension and all of its contents can be
fully uninstalled.
v status - String - The tag corresponding to the current status of the extension.
Possible values are UPLOADED, UPLOADING, INSTALLED, INSTALLING,
INSTALL_FAILED, UNINSTALLED, UNINSTALLING, UNINSTALL_FAILED,
NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension.
Each object has the following fields:
content_type_id - Number - The ID of the content type.
content_type_name - String - The name of the content type.
identifier - String - The descriptive name/identifier of the item.

Response Sample
[
{
"file_location": "/store/cmt/exports/custom_rule.zip",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 3,
"identifier": "No Description Supplied",
"content_type_name": "custom_rule"
},
{
"content_type_id": 28,
"identifier": "Asset Reconciliation IPv4 Blacklist",
"content_type_name": "reference_data"
},
{
"content_type_id": 28,
"identifier": "Asset Reconciliation IPv4 Whitelist",
"content_type_name": "reference_data"
},
{
"content_type_id": 32,
"identifier": "No Description Supplied",
"content_type_name": "reference_data_rules"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150825133843",
"size": 8575,
"id": 59,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "custom_rule.xml",
"install_time": 1440788704856,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440693660702
},
{
"file_location": "/store/cmt/exports/qidmap.xml",
"supported_languages": [
"en_US"
],

1146 QRadar API Reference Guide

 "contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmap.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}
]

POST /config/extension_management/extensions DEPRECATED

Uploads the supplied extension file to the IBM Security QRadarsystem.
Table 2308. POST /config/extension_management/extensions resource details
MIME Type
application/json

Table 2309. POST /config/extension_management/extensions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 1147

 Table 2310. POST /config/extension_management/extensions request body details
Parameter Data Type MIME Type Description Sample
file File application/x-gzip Required - The File
Extension file. Must be
a properly-formed
QRadar
extension/content
export, either an XML
file or an XML within a
ZIP or TAR.GZ archive.
Must be provided with
MIME type
application/xml,
application/zip,
application/x-gzip or
multipart/form-data

Table 2311. POST /config/extension_management/extensions response codes

HTTP Response
Code Unique Code Description
201 The supplied extension file has been uploaded.
409 22613 The supplied extension file can not be uploaded
because it shares the same hub_id and version as
one of the extensions in the system.
422 22607 The supplied extension could not be validated
successfully
422 22616 The supplied manifest for the extension is invalid.
500 22602 An error has occurred while trying to upload the
extension file.

Response Description

An extension containing the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this
extension.
v exported_qradar_version - String - The version of the QRadar deployment this
extension was exported from.
v min_qradar_version - String - The minimum QRadar version required for the
extension to function properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to
QRadar.
v installed_by - String The user or authorized service that installed the extension.

1148 QRadar API Reference Guide

v add_time - Number - The date/time at which the extension was added to
QRadar, represented as number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed,
represented as number of milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be
fully uninstalled.
v status - String - The tag corresponding to the current status of the extension.
Possible values are UPLOADED, UPLOADING, INSTALLED, INSTALLING,
INSTALL_FAILED, UNINSTALLED, UNINSTALLING, UNINSTALL_FAILED,
NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension.
Each object has the following fields:
content_type_id - Number - The ID of the content type.
content_type_name - String - The name of the content type.
identifier - String - The descriptive name/identifier of the item.

Response Sample
{
"file_location": "/store/cmt/exports/qidmaps.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmaps.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}

GET /config/extension_management/extensions/{extension_id}
DEPRECATED
Retrieves an extension based on the supplied extension ID.
Table 2312. GET /config/extension_management/extensions/{extension_id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1149

 Table 2313. GET /config/extension_management/extensions/{extension_id} request
parameter details
Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2314. GET /config/extension_management/extensions/{extension_id} response codes

HTTP Response
Code Unique Code Description
200 The requested extension has been retrieved.
404 22603 The requested extension cannot be found.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the
requested extension.

Response Description

An extension containing the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this
extension.
v exported_qradar_version - String - The version of the QRadar deployment this
extension was exported from.
v min_qradar_version - String - The minimum QRadar version required for the
extension to function properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to
QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to
QRadar, represented as number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed,
represented as number of milliseconds since Unix epoch.

1150 QRadar API Reference Guide

v full_uninstall - Boolean - True if the extension and all of its contents can be
fully uninstalled.
v status - String - The tag corresponding to the current status of the extension.
Possible values are UPLOADED, UPLOADING, INSTALLED, INSTALLING,
INSTALL_FAILED, UNINSTALLED, UNINSTALLING, UNINSTALL_FAILED,
NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension.
Each object has the following fields:
content_type_id - Number - The ID of the content type.
content_type_name - String - The name of the content type.
identifier - String - The descriptive name/identifier of the item.

Response Sample
{
"file_location": "/store/cmt/exports/qidmaps.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmaps.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}

POST /config/extension_management/extensions/{extension_id}
DEPRECATED
Install an extension based on the supplied extension ID. This is an asynchronous
action.

Installs the Extension corresponding to the supplied extension ID Alternatively can

be used to preview an extension, showing what values are applied if the extension
is installed.
Table 2315. POST /config/extension_management/extensions/{extension_id} resource
details
MIME Type
application/json

Chapter 7. Previous REST API versions 1151

 Table 2316. POST /config/extension_management/extensions/{extension_id} request
parameter details
Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension.
action_type query Required String text/plain Required - The desired
action to take on the
Extension (INSTALL or
PREVIEW)
overwrite query Optional Boolean text/plain Optional - If true, any
existing items on the
importing system will be
overwritten if the
extension contains the
same items. If false,
existing items will be
preserved, and the
corresponding items in
the extension will be
skipped.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2317. POST /config/extension_management/extensions/{extension_id} response

codes
HTTP Response
Code Unique Code Description
202 The requested install or preview task has been
started.
404 22603 The requested extension cannot be found.
404 22604 The task status for status_id cannot be found.
409 22612 The supplied extension cannot be
installed/previewed because it is already installed
409 22611 The supplied extension cannot be
installed/previewed because it is already in the
process of being installed/previewed.
409 22618 The requested task can not be initiated because
another preview/install task is already in progress.
422 22605 The supplied action type is invalid
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to install or
preview the requested extension.

1152 QRadar API Reference Guide

Response Description

A JSON string depicting the accepted task for previewing/installing an extension:

v message - String - description of the accepted task.
v status_location - String - the url of the task status.
v current_status - String - a JSON object depicting the current status of the task.

Response Sample
{
"message": "Uninstalling an extension",
"status_location":
"https://1.1.1.1/console/restapi/api/config/extension_management/
extensions_task_status/101",
"current_status": {
"progress": 0,
"result_url": null,
"cancelled_by": null,
"status": "QUEUED",
"task_components": null,
"modified": 1440891410849,
"id": 101,
"message": "Queued Extension uninstallation task for extension id 2",
"created_by": "admin",
"created": 1440891410629,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891410847,
"completed": null
}
}

DELETE /config/extension_management/extensions/
{extension_id} DEPRECATED
Uninstall an extension based on the supplied extension ID. This is an
asynchronous action.
Table 2318. DELETE /config/extension_management/extensions/{extension_id} resource
details
MIME Type
application/json

Table 2319. DELETE /config/extension_management/extensions/{extension_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension to be
uninstalled.

Chapter 7. Previous REST API versions 1153

 Table 2319. DELETE /config/extension_management/extensions/{extension_id} request
parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2320. DELETE /config/extension_management/extensions/{extension_id} response

codes
HTTP Response
Code Unique Code Description
202 The requested uninstall task has been started.
404 22603 The requested extension cannot be found.
404 22604 The task status for status_id cannot be found.
409 22611 The supplied extension cannot be uninstalled
because it is already in the process of being
uninstalled.
409 22617 The extension can not be uninstalled because it is
already in the process of being previewed/installed.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to uninstall an
extension.

Response Description

A JSON string depicting the accepted task for uninstalling an extension:

v message - String - description of the accepted task.
v status_location - String - the url of the task status.
v current_status - String - a JSON object depicting the current status of the task.

Response Sample
{
"message": "Uninstalling an extension",
"status_location":
"https://1.1.1.1/console/restapi/api/config/extension_management/
extensions_task_status/101",
"current_status": {
"progress": 0,
"result_url": null,
"cancelled_by": null,
"status": "QUEUED",
"task_components": null,
"modified": 1440891410849,
"id": 101,
"message": "Queued Extension uninstallation task for extension id 2",
"created_by": "admin",
"created": 1440891410629,
"maximum": 0,

1154 QRadar API Reference Guide

 "cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891410847,
"completed": null
}
}

GET /config/extension_management/extensions_task_status/
{status_id} DEPRECATED
Retrieves the tasks status based on the status ID.
Table 2321. GET /config/extension_management/extensions_task_status/{status_id}
resource details
MIME Type
application/json

Table 2322. GET /config/extension_management/extensions_task_status/{status_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
status_id path Required Number text/plain Required - the id of the
(Integer) task status.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2323. GET /config/extension_management/extensions_task_status/{status_id}

response codes
HTTP Response
Code Unique Code Description
200 The requested task status has been retrieved.
404 22604 The task status for status_id cannot be found.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the
task status.

Response Description

A task status containing the following fields:

v id - Number - The ID of the task status.
v name - String - The name of the task status.
v status - String - A string that represents the current state of the task status.
v message - String - A message regarding the current state of the task.

Chapter 7. Previous REST API versions 1155

 v progress - Number - The current progress of the task
v minimum - Number - The minimum progress of the task.
v maximum - Number - The maximum progress of the task.
v created_by - String - The username of the user who created the task.
v cancelled_by - String - The username of the user who cancelled the task.
v created - Number - The date/time at which this task was created, represented as
number of milliseconds since Unix epoch.
v started - Number - The date/time at which this task was started, represented as
number of milliseconds since Unix epoch.
v modified - Number - The date/time at which this task was last modified,
represented as number of milliseconds since Unix epoch.
v completed - Number - The date/time at which this task was completed,
represented as number of milliseconds since Unix epoch.
v result_url - String - The url where the result can be viewed.
v cancel_requested - Boolean - True if cancel has been requested.
v child_tasks - Array - Array of child task id's that are executed asynchronously
from this task.
v task_components - Array - Array of task components that are executed
sequentially.

Response Sample
{
"progress": 0,
"result_url": "",
"cancelled_by": "",
"status": "COMPLETED",
"task_components": null,
"modified": 1440891517961,
"id": 102,
"message": "Completed Extension uninstallation task for extension id 56",
"created_by": "admin",
"created": 1440891514006,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891514041,
"completed": 1440891515224
}

GET /config/extension_management/extensions_task_status/
{status_id}/results DEPRECATED
Retrieves the tasks status results based on the status ID.
Table 2324. GET /config/extension_management/extensions_task_status/{status_id}/results
resource details
MIME Type
application/json

1156 QRadar API Reference Guide

Table 2325. GET /config/extension_management/extensions_task_status/{status_id}/results
request parameter details
MIME
Parameter Type Optionality Data Type Type Description
status_id path Required Number text/plain Required - The id of
(Integer) the task status.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2326. GET /config/extension_management/extensions_task_status/{status_id}/results

response codes
HTTP Response
Code Unique Code Description
200 The requested results of the task status have been
retrieved.
404 22604 The task status for status_id cannot be found.
404 22614 The task results are not available.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the
results of a task status.

Response Description

A JSON object representing the result of an Extension preview, install or uninstall

task. It contains the following fields:
v id - Number - The ID of the extension.
v task_type - String - The type of task that was issued against the Extension.
v content - Array - An array of JSON objects representing the contents of the
extension and what action is associated with each content item for the task that
was executed. Each content item contains the following fields:
name - String - The name of the content item.
content_type_id - Number - The ID of the type of the content item.
content_type_name - String - The name of the type of the content item.
action - String - The action taken for the content item.

Response Sample
{
"id": 56,
"task_type": "UNINSTALL",
"content": [
{
"content_type_id": 3,
"name": "SYSTEM-1607",

Chapter 7. Previous REST API versions 1157

 "action": "SKIP",
"content_type_name": "custom_rule"
},
{
"content_type_id": 28,
"name": "Asset Reconciliation IPv4 Whitelist",
"action": "SKIP",
"content_type_name": "reference_data"
}
]
}

GUI application framework endpoints

Use the references for REST API V6.0 GUI application framework endpoints.

GET /gui_app_framework/application_creation_task
DEPRECATED
Retrieve status details.

Retrieve a list of status details of all asynchronous requests to create applications.

Table 2327. GET /gui_app_framework/application_creation_task resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 2328. GET /gui_app_framework/application_creation_task response codes
HTTP Response
Code Unique Code Description
200 Application Creation Request list was retrieved.
500 1020 An error occurred while attempting to retrieve the
list of status details.

Response Description

The details of the requests to create applications.

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

1158 QRadar API Reference Guide

POST /gui_app_framework/application_creation_task
DEPRECATED
Creates a new application within the Application framework.

Create a new application within the Application framework, and register it with
QRadar. The application is created asynchronously. A reference to the
application_id is returned and should be used in subsequent API calls to determine
the status of the application installation.
Table 2329. POST /gui_app_framework/application_creation_task resource details
MIME Type
application/json

Table 2330. POST /gui_app_framework/application_creation_task request body details

Parameter Data Type MIME Type Description Sample

package zip application/zip A zip file, that contains null

custom code, and a
application manifest JSON file
descriptor

Table 2331. POST /gui_app_framework/application_creation_task response codes

HTTP Response
Code Unique Code Description
201 The application was installed and registered
successfully.

409 1008 An application with that UUID is already installed.

Only an upgrade or delete can be performed in this
state.
422 1005 The provided application is invalid. See messages
for further details.
500 1020 The application could not be created.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"

Chapter 7. Previous REST API versions 1159

 }
]
}
]

GET /gui_app_framework/application_creation_task/
{application_id} DEPRECATED
Retrieve a list of status details of a asynchronous request to create application.
Table 2332. GET /gui_app_framework/application_creation_task/{application_id} resource
details
MIME Type
application/json

Table 2333. GET /gui_app_framework/application_creation_task/{application_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - Get the status
(Integer) details of this application
defined by application_id
returned by the initial
POST on
application_creation_task.

Table 2334. GET /gui_app_framework/application_creation_task/{application_id} response

codes
HTTP Response
Code Unique Code Description
200 Application Creation Request list was retrieved.
404 1002 The application_id is invalid or could not be found.
500 1020 An error occurred while attempting to retrieve the
list of status details.

Response Description

The details of the request to create application.

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"

1160 QRadar API Reference Guide

 }
]
}
]

POST /gui_app_framework/application_creation_task/
{application_id} DEPRECATED
Cancel a new application install within the Application framework.

Use this endpoint to cancel a new application install within the Application
framework. The application_id and a status are required.
Table 2335. POST /gui_app_framework/application_creation_task/{application_id} resource
details
MIME Type
application/json

Table 2336. POST /gui_app_framework/application_creation_task/{application_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The
(Integer) application_id to cancel
installing.
status query Required String text/plain Required - The status to
update the application
install to. Currently only
CANCELLED is
supported

Table 2337. POST /gui_app_framework/application_creation_task/{application_id} response

codes
HTTP Response
Code Unique Code Description
200 The application installation was canceled and
unregistered successfully.
404 1002 The application_id is invalid or could not be found.
422 1005 The status is not valid.
500 1020 An error occurred when attempting to update the
Application request state.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{

Chapter 7. Previous REST API versions 1161

 "code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

GET /gui_app_framework/applications DEPRECATED

Retrieve list of applications

Retrieve a list of applications that are installed on the console, with their manifest
json structures and current status.
Table 2338. GET /gui_app_framework/applications resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 2339. GET /gui_app_framework/applications response codes
HTTP Response
Code Unique Code Description
200 The database list was retrieved.
500 1020 An error occurred while attempting to retrieve the
list of applications.

Response Description

The list of applications.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",

1162 QRadar API Reference Guide

 "required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy of
most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

Chapter 7. Previous REST API versions 1163

 "gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

GET /gui_app_framework/applications/{application_id}
DEPRECATED
Retrieve specific application

Retrieve a specific application installed on the console with manifest json structure
and current status.
Table 2340. GET /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

1164 QRadar API Reference Guide

Table 2341. GET /gui_app_framework/applications/{application_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - Get specific
(Integer) installed application
defined by application_id
returned by the initial
POST on
application_creation_task.

Table 2342. GET /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
200 The application was retrieved.
404 1002 The application_id is invalid or could not be found.
500 1020 An error occurred while attempting to retrieve the
application.

Response Description

The specific application.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy of
most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}

Chapter 7. Previous REST API versions 1165

 ],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},

1166 QRadar API Reference Guide

 {
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

POST /gui_app_framework/applications/{application_id}
DEPRECATED
Update an Application

Start or stop an application by setting status to RUNNING or STOPPED

respectively.
Table 2343. POST /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 2344. POST /gui_app_framework/applications/{application_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - The
(Integer) applicationId of the
application to
update.

Chapter 7. Previous REST API versions 1167

 Table 2344. POST /gui_app_framework/applications/{application_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
status query Required String text/plain Required - The
status of the
application to set to
RUNNING or
STOPPED.

Table 2345. POST /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
200 The application has been successfully updated
404 1002 The application_id does not exist.
409 1008 The application is locked by another process.
422 1005 The application status is not valid.
500 1020 An error occurred while attempting to update the
application.

Response Description

Application structure including application status.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy

1168 QRadar API Reference Guide

 of most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",

Chapter 7. Previous REST API versions 1169

 "javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

PUT /gui_app_framework/applications/{application_id}
DEPRECATED
Upgrade an application.

Upgrade an application.
Table 2346. PUT /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 2347. PUT /gui_app_framework/applications/{application_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain null
(Integer)

1170 QRadar API Reference Guide

Table 2348. PUT /gui_app_framework/applications/{application_id} request body details
Parameter Data Type MIME Type Description Sample
package zip application/zip A zip file, that contains null
custom code, and a
application manifest
JSON file descriptor

Table 2349. PUT /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
202 The request for an application upgrade was
accepted.
404 1002 The application_id is invalid or could not be found.
409 1008 The application is locked by another process.
422 1005 The provided application is invalid. See messages
for further details.
500 1020 The application could not be created.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

DELETE /gui_app_framework/applications/{application_id}
DEPRECATED
Delete an Application.
Table 2350. DELETE /gui_app_framework/applications/{application_id} resource details
MIME Type
text/plain

Chapter 7. Previous REST API versions 1171

 Table 2351. DELETE /gui_app_framework/applications/{application_id} request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - The
(Integer) applicationId of the
application to delete.

Table 2352. DELETE /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
204 The application has been successfully unregistered.
404 1002 The application_id does not exist.
409 1008 The application is locked by another process.
500 1020 An error occurred while attempting to delete the
application.

Response Description

Successful response code 204 No content.

Response Sample

Help endpoints
Use the references for REST API V6.0 Help endpoints.

GET /help/endpoints DEPRECATED

Retrieves a list of endpoint documentation objects that are currently in the system.

Retrieves a list of endpoint documentation objects that are currently in the system.
Table 2353. GET /help/endpoints resource details
MIME Type
application/json

Table 2354. GET /help/endpoints request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

1172 QRadar API Reference Guide

Table 2354. GET /help/endpoints request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2355. GET /help/endpoints response codes

HTTP Response
Code Unique Code Description
200 The endpoint documentation list was retrieved.
500 1020 An unexpected error has occurred.

Response Description

An array of endpoint documentation objects. An endpoint documentation object

contains the following fields:
v id - Number - The ID of the endpoint documentation. This ID is not permanent.
It might change any time services are restarted.
v summary - String - A brief summary of the endpoint.
v deprecated - Boolean - Returns true if the endpoint is deprecated. Returns false
otherwise.
v http_method - String - The HTTP request type. One of OPTIONS, GET, HEAD,
POST, PUT, DELETE, TRACE, CONNECT, PATCH.
v error_responses - Array of Objects - A list of potential error responses of this
endpoint.
v error_responses(response_code) - Number - The HTTP code for this error
response.
v error_responses(description) - String - The description for this error response.
v error_responses(unique_code) - Number - The unique code for this error
response.
v error_responses(response_code_description) - String - The description of the
response.
v response_description - String - The description of the response.
v version - String - The version of this endpoint.

Chapter 7. Previous REST API versions 1173

 v success_responses - Array of Objects - A list of potential success responses for
this endpoint.
v success_responses(response_code) - Number - The HTTP code for this response.
v success_responses(description) - String - The description of this response.
v success_responses(response_code_description) - String - The name for the
response code from RFC 2616.
v description - String - A description of this endpoint.
v path - String - The path of this endpoint.
v response_mime_types - Array of Objects - A list of possible response MIME
types for this endpoint.
v response_mime_types(mime_type) - String - The MIME type.
v response_mime_types(sample) - String - The sample of this response MIME
type.
v parameters - Array of Objects - A list of user parameters for this endpoint.
v parameters(description) - String - A description of this parameter.
v parameters(default_value) - String - The default value of this parameter. Null if
there is no default value for this parameter. This is always a String, regardless of
the underlying data type of the parameter.
v parameters(type) - String - The type of parameter, one of QUERY, HEADER,
PATH, BODY.
v parameters(parameter_name) - String - The name of this parameter.
v parameters(mime_types) - Array of Objects - A list of possible mime_types for
this parameter.
v parameters(mime_types(data_type)) - String - A description of the data type of
this parameter.
v parameters(mime_types(mime_type)) - String - The MIME type of the
parameter.
v parameters(mime_types(sample)) - String - The sample for this parameter.
v resource_id - Number - The ID of the associated resource.
v last_modified_version - String - The API version this endpoint was last
modified. It is less than or equal to the version in the version field.
v caller_has_access - Boolean - True if the user has the required capabilities to call
this endpoint, false otherwise.

Response Sample
[
{
"caller_has_access": true,
"deprecated": true,
"description": "String",
"error_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String",
"unique_code": 42
}
],
"http_method": "String <one of: OPTIONS,
GET,
HEAD,
POST,
PUT,
DELETE,

1174 QRadar API Reference Guide

 TRACE,
CONNECT,
PATCH>",
"id": 42,
"last_modified_version": "String",
"parameters": [
{
"default_value": "String",
"description": "String",
"mime_types": [
{
"data_type": "String",
"mime_type": "String",
"sample": "String"
}
],
"parameter_name": "String",
"type": "String <one of: QUERY,
HEADER,
PATH,
BODY>"
}
],
"path": "String",
"resource_id": 42,
"response_description": "String",
"response_mime_types": [
{
"mime_type": "String",
"sample": "String"
}
],
"success_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String"
}
],
"summary": "String",
"version": "String"
}
]

GET /help/endpoints/{endpoint_id} DEPRECATED

Retrieves a single endpoint documentation object.

Retrieves a single endpoint documentation object.

Table 2356. GET /help/endpoints/{endpoint_id} resource details
MIME Type
application/json

Table 2357. GET /help/endpoints/{endpoint_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
endpoint_id path Required Number text/plain The endpoint id.
(Integer)

Chapter 7. Previous REST API versions 1175

 Table 2357. GET /help/endpoints/{endpoint_id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2358. GET /help/endpoints/{endpoint_id} response codes

HTTP Response
Code Unique Code Description
200 The endpoint documentation object was retrieved.
404 1002 No endpoint documentation object was found for
the provided endpoint id.
500 1020 An unexpected error has occurred.

Response Description

An endpoint documentation object. An endpoint documentation object contains the

following fields:
v id - Number - The ID of the endpoint documentation. This ID is not permanent.
It might change any time services are restarted.
v summary - String - A brief summary of the endpoint.
v deprecated - Boolean - Returns true if the endpoint is deprecated. Returns false
otherwise.
v http_method - String - The HTTP request type. One of OPTIONS, GET, HEAD,
POST, PUT, DELETE, TRACE, CONNECT, PATCH.
v error_responses - Array of Objects - A list of potential error responses of this
endpoint.
v error_responses(response_code) - Number - The HTTP code for this error
response.
v error_responses(description) - String - The description for this error response.
v error_responses(unique_code) - Number - The unique code for this error
response.
v error_responses(response_code_description) - String - The description of the
response.
v response_description - String - The description of the response.
v version - String - The version of this endpoint.
v success_responses - Array of Objects - A list of potential success responses for
this endpoint.
v success_responses(response_code) - Number - The HTTP code for this response.
v success_responses(description) - String - The description of this response.

1176 QRadar API Reference Guide

v success_responses(response_code_description) - String - The name for the
response code from RFC 2616.
v description - String - A description of this endpoint.
v path - String - The path of this endpoint.
v response_mime_types - Array of Objects - A list of possible response MIME
types for this endpoint.
v response_mime_types(mime_type) - String - The MIME type.
v response_mime_types(sample) - String - The sample of this response MIME
type.
v parameters - Array of Objects - A list of user parameters for this endpoint.
v parameters(description) - String - A description of this parameter.
v parameters(default_value) - String - The default value of this parameter. Null if
there is no default value for this parameter. This is always a String, regardless of
the underlying data type of the parameter.
v parameters(type) - String - The type of parameter, one of QUERY, HEADER,
PATH, BODY.
v parameters(parameter_name) - String - The name of this parameter.
v parameters(mime_types) - Array of Objects - A list of possible mime_types for
this parameter.
v parameters(mime_types(data_type)) - String - A description of the data type of
this parameter.
v parameters(mime_types(mime_type)) - String - The MIME type of the
parameter.
v parameters(mime_types(sample)) - String - The sample for this parameter.
v resource_id - Number - The ID of the associated resource.
v last_modified_version - String - The API version this endpoint was last
modified. It will be less than or equal to the version in the version field.
v caller_has_access - Boolean - Returns true if the user has the required
capabilities to call this endpoint. Returns false otherwise.

Response Sample
{
"caller_has_access": true,
"deprecated": true,
"description": "String",
"error_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String",
"unique_code": 42
}
],
"http_method": "String <one of: OPTIONS,
GET,
HEAD,
POST,
PUT,
DELETE,
TRACE,
CONNECT,
PATCH>",
"id": 42,
"last_modified_version": "String",
"parameters": [
{

Chapter 7. Previous REST API versions 1177

 "default_value": "String",
"description": "String",
"mime_types": [
{
"data_type": "String",
"mime_type": "String",
"sample": "String"
}
],
"parameter_name": "String",
"type": "String <one of: QUERY,
HEADER,
PATH,
BODY>"
}
],
"path": "String",
"resource_id": 42,
"response_description": "String",
"response_mime_types": [
{
"mime_type": "String",
"sample": "String"
}
],
"success_responses": [
{
"description": "String",
"response_code": 42,
"response_code_description": "String"
}
],
"summary": "String",
"version": "String"
}

GET /help/resources DEPRECATED

Retrieves a list of resource documentation objects currently in the system.

Retrieves a list of resource documentation objects currently in the system.

Table 2359. GET /help/resources resource details
MIME Type
application/json

Table 2360. GET /help/resources request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

1178 QRadar API Reference Guide

Table 2360. GET /help/resources request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2361. GET /help/resources response codes

HTTP Response
Code Unique Code Description
200 The resource documentation list was retrieved.
500 1020 An unexpected error has occurred.

Response Description

An array of resource documentation objects. A resource documentation object

contains the following fields:
v id - Number - The ID of the resource documentation object. This ID is not
permanent. It might change any time services are restarted.
v child_resource_ids - Array of Numbers - A list of resource documentation IDs
that are the children of this resource.
v endpoint_ids - Array of Numbers - A list of endpoint documentation IDs for
endpoints on this resource.
v resource - String - The current resource.
v path - String - The full path of the current resource.
v parent_resource_id - Number - The resource documentation ID of the parent of
this resource. Null if this is a root resource.
v version - String - The version of this resource.

Response Sample
[
{
"child_resource_ids": [
42
],
"endpoint_ids": [
42
],

Chapter 7. Previous REST API versions 1179

 "id": 42,
"parent_resource_id": 42,
"path": "String",
"resource": "String",
"version": "String"
}
]

GET /help/resources/{resource_id} DEPRECATED

Retrieves a single resource documentation object.

Retrieves a single resource documentation object.

Table 2362. GET /help/resources/{resource_id} resource details
MIME Type
application/json

Table 2363. GET /help/resources/{resource_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
resource_id path Required Number text/plain The resource id.
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2364. GET /help/resources/{resource_id} response codes

HTTP Response
Code Unique Code Description
200 The resource documentation object was retrieved.
404 1002 No resource documentation object was found for the
provided resource ID.
500 1020 An unexpected error has occurred.

Response Description

A resource documentation object. A resource documentation object contains the

following fields:
v id - Number - The ID of the resource documentation object. This ID is not
permanent. It might change any time services are restarted.
v child_resource_ids - Array of Numbers - A list of resource documentation IDs
that are the children of this resource.
v endpoint_ids - Array of Numbers - A list of endpoint documentation IDs for
endpoints on this resource.
v resource - String - The current resource.

1180 QRadar API Reference Guide

v path - String - The full path of the current resource.
v parent_resource_id - Number - The resource documentation ID of the parent of
this resource. Null if this is a root resource.
v version - String - The version of this resource.

Response Sample
{
"child_resource_ids": [
42
],
"endpoint_ids": [
42
],
"id": 42,
"parent_resource_id": 42,
"path": "String",
"resource": "String",
"version": "String"
}

GET /help/versions DEPRECATED

Retrieves a list of version documentation objects currently in the system.

Retrieves a list of version documentation objects currently in the system.

Table 2365. GET /help/versions resource details
MIME Type
application/json

Table 2366. GET /help/versions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Chapter 7. Previous REST API versions 1181

 Table 2367. GET /help/versions response codes
HTTP Response
Code Unique Code Description
200 The version documentation list was retrieved.
500 1020 An unexpected error has occurred.

Response Description

An array of version documentation objects. A version documentation object

contains the following fields:
v id - Number - The ID of the version documentation object. This ID is not
permanent. It might change any time services are restarted.
v deprecated - Boolean - Returns true if this version is deprecated. Returns false
otherwise.
v removed - Boolean - Returns true if this version is removed. Returns false
otherwise. Endpoints cannot be called from an API version that is removed.
v root_resource_ids - Array of Numbers - Resource IDs of the root resources in
this version of the API.
v version - String - The API version that this version documentation represents.

Response Sample
[
{
"deprecated": true,
"id": 42,
"removed": true,
"root_resource_ids": [
42
],
"version": "String"
}
]

GET /help/versions/{version_id} DEPRECATED

Retrieves a single version documentation object.

Retrieves a single version documentation object.

Table 2368. GET /help/versions/{version_id} resource details
MIME Type
application/json

Table 2369. GET /help/versions/{version_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
version_id path Required Number text/plain The ID of the version
(Integer) documentation to
retrieve.

1182 QRadar API Reference Guide

 Table 2369. GET /help/versions/{version_id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2370. GET /help/versions/{version_id} response codes

HTTP Response
Code Unique Code Description
200 The version documentation object was retrieved.
404 1002 No version documentation object was found for the
provided version id.
500 1020 An unexpected error has occurred.

Response Description

A version documentation object. A version documentation object contains the

following fields:
v id - Number - The ID of the version documentation object. This ID is not
permanent. It might change any time services are restarted.
v deprecated - Boolean - Returns true if this version is deprecated. Returns false
otherwise.
v removed - Boolean - Returns true if this version is removed. Returns false
otherwise. Endpoints cannot be called with an API version that is removed.
v root_resource_ids - Array of Numbers - Resource IDs of the root resources in
this version of the API.
v version - String - The API version that this version documentation represents.

Response Sample
{
"deprecated": true,
"id": 42,
"removed": true,
"root_resource_ids": [
42
],
"version": "String"
}

QRadar Vulnerability Manager endpoints

Use the references for REST API V6.0 QRadar Vulnerability Manager endpoints.

Chapter 7. Previous REST API versions 1183

 GET /qvm/assets DEPRECATED
List the assets with discovered vulnerabilities present in the asset model. The
response contains all available RESTful resources.
Table 2371. GET /qvm/assets resource details
MIME Type
application/json

Table 2372. GET /qvm/assets request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 2373. GET /qvm/assets response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by asset
completed successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of assets data

Response Sample

GET /qvm/filters DEPRECATED

Get a list of the allowable filters that can be used or applied against /qvm
endpoints.
v /qvm/assets
v /qvm/vulns
v /qvm/vulninstances
v /qvm/openservices
v /qvm/networks
v queries
Table 2374. GET /qvm/filters resource details
MIME Type
application/json

There are no parameters for this endpoint.

1184 QRadar API Reference Guide

Table 2375. GET /qvm/filters response codes
HTTP Response
Code Unique Code Description
200 The search executed successfully
420 9102 An error occurred while executing the search

Response Description

list of Filters.

Response Sample

GET /qvm/network DEPRECATED

List the networks present in the asset model with vulnerabilities present. The
response contains all available RESTful resources
Table 2376. GET /qvm/network resource details
MIME Type
application/json

Table 2377. GET /qvm/network request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 2378. GET /qvm/network response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by network
completed successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of network related data

Response Sample

GET /qvm/openservices DEPRECATED

List the openservices present in the asset model with vulnerabilities present. The
response will contain all available RESTful resources

Chapter 7. Previous REST API versions 1185

 Table 2379. GET /qvm/openservices resource details
MIME Type
application/json

Table 2380. GET /qvm/openservices request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 2381. GET /qvm/openservices response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by open
service completed successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of open services related data

Response Sample

GET /qvm/saved_searches DEPRECATED

Retrieves a list of vulnerability instance saved searches.

Retrieves a list of vulnerability instance saved searches.

Table 2382. GET /qvm/saved_searches resource details
MIME Type
application/json

Table 2383. GET /qvm/saved_searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

1186 QRadar API Reference Guide

Table 2383. GET /qvm/saved_searches request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2384. GET /qvm/saved_searches response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the list of vulnerability
instance saved searches completed successfully.
500 1020 An error occurred while trying to retrieve the list of
saved searches.

Response Description

A list of vulnerability instance saved searches that can be used or applied against:
v /qvm/saved_searches/{saved_search_id}/vuln_instances
v /qvm/assets
v /qvm/vulns
v /qvm/openservices
v /qvm/networks

Each saved search that is returned includes an ID, name, and list of filters that
make up this saved search.

Response Sample
[
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}
]

Chapter 7. Previous REST API versions 1187

 GET /qvm/saved_searches/vuln_instances/{task_id}/results/
assets DEPRECATED
Lists the Vulnerability Instances assets that are returned from the vulnerability
instance saved search.

Lists the Vulnerability Instances assets that are returned from the saved search.
Table 2385. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets resource
details
MIME Type
application/json

Table 2386. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2387. GET /qvm/saved_searches/vuln_instances/{task_id}/results/assets response

codes
HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by instance
completed successfully.
404 1002 Resource not found.
500 1020 An error occurred while retrieving results.

1188 QRadar API Reference Guide

Response Description

A list of assets associated with the vulnerability instance data.

Response Sample
[{"risk_policies": [{"passed": true,
"name": "String",
"last_evaluated": 42,
"question_type": "String",
"groups": ["String"]}],
"id": 42,
"domain_id": 42,
"interfaces": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String",
"ip_addresses": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"value": "String",
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"type": "String",
"network_name": "String"
}]
}],
"hostnames": ["String"],
"properties": [{"id": 42,
"name": "String",
"value": "String",
"last_reported": 42,
"type_id": 42,
"last_reported_by": "String"
}],
"operating_systems": [{"last_seen_date": 42,
"name": "String"
}]
}]

GET /qvm/saved_searches/vuln_instances/{task_id}/results/
vuln_instances DEPRECATED
Lists the Vulnerability Instances returned from a vulnerability instance saved
search.

Lists the Vulnerability Instances returned from a saved search.

Table 2388. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances
resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1189

 Table 2389. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances
request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2390. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vuln_instances

response codes
HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by instance
completed successfully.
404 1002 Resource not found
500 1020 An error occurred while retrieving results

Response Description

A list of vulnerability instance data.

Response Sample
[{"id": 42,
"cvss_environmental_score_string": "String",
"last_seen_date": 42,
"asset_id": 42,
"domain_id": 42,
"relevant_patches": [{"security_notice": "String",
"description": "String",
"patch_type": "String <one of: OS, NONOS>"
}],
"cvss_environmental_score": 42.5,

1190 QRadar API Reference Guide

 "seen_by_scan_profile": "String",
"risk_score": 42.5,
"vulnerability_id": 42,
"first_seen_date": 42
}]

GET /qvm/saved_searches/vuln_instances/{task_id}/results/
vulnerabilities DEPRECATED
List the Vulnerability Instances vulnerabilities returned from the saved search.
Table 2391. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities
resource details
MIME Type
application/json

Table 2392. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities

request parameter details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2393. GET /qvm/saved_searches/vuln_instances/{task_id}/results/vulnerabilities

response codes
HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by instance
completed successfully
404 1002 Resource not found
500 1020 Error while retrieving results

Chapter 7. Previous REST API versions 1191

 Response Description

list of vulnerability instance data

Response Sample
[{"cvss_base_score_string": "String",
"virtual_patches": [{"device": "String",
"qid": "String",
"signature": "String"
}],
"osvdb_title": "String",
"cvss_temporal_score": 42.5,
"cvss_base_score": 42.5,
"concern": "String",
"cve_ids": ["String"],
"critical_details": "String",
"risk_factor": {"name": "String <one of: High,
Medium,
Low,
Warning>",
"code": 42
},
"cvss_temporal_score_string": "String",
"severity": {"name": "String <one of: Patch,
Urgent,
Critical,
High,
Medium,
Low>",
"code": 42
},
"remediation": "String",
"id": 42, "patches": [{"security_notice": "String",
"description": "String"
}],
"description": "String"
}]

GET /qvm/saved_searches/vuln_instances/{task_id}/status
DEPRECATED
Retrieves the current status of a vulnerability instance search that was initiated.

Retrieves the current status of a vulnerability instance search that was initiated.
Table 2394. GET /qvm/saved_searches/vuln_instances/{task_id}/status resource details
MIME Type
application/json

Table 2395. GET /qvm/saved_searches/vuln_instances/{task_id}/status request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
task_id path Required Number text/plain null
(Integer)

1192 QRadar API Reference Guide

Table 2395. GET /qvm/saved_searches/vuln_instances/{task_id}/status request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2396. GET /qvm/saved_searches/vuln_instances/{task_id}/status response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the current status of the
vulnerability instance search completed successfully.
404 1002 Resource not found.
500 1020 An error occurred while retrieving status.

Response Description

Returns the status of the selected vulnerability instance search.

Response Sample
{
"id": 42,
"retention_period_in_days": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED, EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

GET /qvm/saved_searches/{saved_search_id} DEPRECATED

Retrieves a vulnerability instance saved search.

Retrieves a vulnerability instance saved search.

Table 2397. GET /qvm/saved_searches/{saved_search_id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1193

 Table 2398. GET /qvm/saved_searches/{saved_search_id} request parameter details
Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2399. GET /qvm/saved_searches/{saved_search_id} response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the list of vulnerability
instance saved searches completed successfully
404 1002 The Saved Search does not exist
500 1020 An error occurred while trying to retrieve the
vulnerability instance saved search

Response Description

A vulnerability instance saved search that can be used or applied against:

v /qvm/saved_searches/{saved_search_id}/vuln_instances
v /qvm/assets
v /qvm/vulns
v /qvm/openservices
v /qvm/networks

The saved search contains an ID, name, and list of filters that make up this saved
search.

Response Sample
{
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}

GET /qvm/saved_searches/{saved_search_id}/vuln_instances
DEPRECATED
Creates the Vulnerability Instances search. This search will return a maximum of
100,000 results.

1194 QRadar API Reference Guide

Creates the Vulnerability Instances search. This search will return a maximum of
100,000 results.
Table 2400. GET /qvm/saved_searches/{saved_search_id}/vuln_instances resource details
MIME Type
application/json

Table 2401. GET /qvm/saved_searches/{saved_search_id}/vuln_instances request

parameter details
Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required Number text/plain ID of saved search
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2402. GET /qvm/saved_searches/{saved_search_id}/vuln_instances response codes

HTTP Response
Code Unique Code Description
201 The vulnerability instance search is queued.
404 1002 null
500 1020 null

Response Description

The responses returns a task ID.

Response Sample
{
"id": 42,
"retention_period_in_days": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}

Chapter 7. Previous REST API versions 1195

 POST /qvm/tickets/assign DEPRECATED
Update the remediation ticket for the assigned vulnerability
Table 2403. POST /qvm/tickets/assign resource details
MIME Type
application/json

Table 2404. POST /qvm/tickets/assign request body details

Parameter Data Type MIME Type Description Sample
ticket JSON application/json [ { "ticketId":"1000",
'ticketId': required. "status":"Opened", "priority":"Critical",
"dueDate":"2015-01-04 12:00:00",
"assignedUser":"admin",
'priority' one of required :
"comment":"testComment",
Critical, Major, Minor,
"commentUser":"admin" } ]
Warning, Informational.

'status' one of required :

Opened, Fixed, Re-Opened,
Closed .

'dueDate' Optional :
yyyy-MM-dd HH:mm:ss.

'assignedUser' required : valid

QRadar user account name or
a valid email.

'comment' Optional : text.

'commentUser' Optional :
valid QRadar user account
name, if not included will
default current API user.

Table 2405. POST /qvm/tickets/assign response codes

HTTP Response
Code Unique Code Description
200 The request to assign a ticket completed successfully
420 9104 An error occurred while trying to assign a ticket due
to invalid arguments

Response Description

success message if update succeed

Response Sample

GET /qvm/vulns DEPRECATED

List the Vulnerabilities present in the asset model. The response will contain all
available RESTful resources
Table 2406. GET /qvm/vulns resource details
MIME Type
application/json

Table 2407. GET /qvm/vulns request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name

1196 QRadar API Reference Guide

 Table 2407. GET /qvm/vulns request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 2408. GET /qvm/vulns response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities completed
successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of vulnerability data

Response Sample

Reference data endpoints

Use the references for REST API V6.0 reference data endpoints.

GET /reference_data/map_of_sets DEPRECATED

Retrieve a list of all reference map of sets.
Table 2409. GET /reference_data/map_of_sets resource details
MIME Type
application/json

Table 2410. GET /reference_data/map_of_sets request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 1197

 Table 2410. GET /reference_data/map_of_sets request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2411. GET /reference_data/map_of_sets response codes

HTTP Response
Code Unique Code Description
200 The reference map of sets list has been retrieved
500 1020 An error occurred while attempting to retrieve all of
the reference map of sets

Response Description

A list of all of the reference map of sets. This returns information about the map of
sets but not the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}
]

POST /reference_data/map_of_sets DEPRECATED

Create a new reference map of sets.
Table 2412. POST /reference_data/map_of_sets resource details
MIME Type
application/json

1198 QRadar API Reference Guide

Table 2413. POST /reference_data/map_of_sets request parameter details
Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference map of sets
to create
element_type query Required String text/plain Required - The element
type for the values
allowed in the reference
map of sets. The allowed
values are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented
in milliseconds since the
Unix Epoch January 1st
1970.
key_label query Optional String text/plain Optional - The label to
describe the keys
value_label query Optional String text/plain Optional - The label to
describe the data values
timeout_type query Optional String text/plain Optional - The allowed
values are
"FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last
seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for
example: "1 month" or "5
minutes"
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2414. POST /reference_data/map_of_sets response codes

HTTP Response
Code Unique Code Description
201 A new reference map of sets was successfully
created
409 1004 The reference map of sets could not be created, the
name provided is already in use. Please change the
name and try again.

Chapter 7. Previous REST API versions 1199

 Table 2414. POST /reference_data/map_of_sets response codes (continued)
HTTP Response
Code Unique Code Description
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference map of sets

Response Description

Information about the newly created reference map of sets.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

GET /reference_data/map_of_sets/{name} DEPRECATED

Return the reference map of sets identified by name.

Return the reference map of sets identified by name. If provided, limit specifies
the number of records to return starting at the record that is specified by offset. If
the number is not specified, then the first 20 records is returned.
Table 2415. GET /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 2416. GET /reference_data/map_of_sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to retrieve
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

1200 QRadar API Reference Guide

Table 2416. GET /reference_data/map_of_sets/{name} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2417. GET /reference_data/map_of_sets/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference map of sets has been retrieved
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the
reference map of sets

Response Description

The reference map of sets identified by the name specified in the request. The
portion of the reference map of sets' data returned is dependent on the limit and
offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": [
{
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
]
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/map_of_sets/{name} DEPRECATED

Add or update an element in a reference map of sets.
Table 2418. POST /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1201

 Table 2419. POST /reference_data/map_of_sets/{name} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to add or update
an element in
key query Required String text/plain Required - The key of
the set to add or
update
value query Required String text/plain Required - The value to
add or update in the
reference map of sets.
Note: Date values must
be represented in
milliseconds since the
Unix Epoch January 1st
1970.
source query Optional String text/plain Optional - This
indicates where the
data originated. The
default value is
'reference data api'
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2420. POST /reference_data/map_of_sets/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference map of sets has had an element added
or updated
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference map of sets

Response Description

Information about the reference map of sets that has had an element added or
updated. This returns information about the reference map of sets but not the
contained data.

1202 QRadar API Reference Guide

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

DELETE /reference_data/map_of_sets/{name} DEPRECATED

Remove a map of sets or purge its contents.
Table 2421. DELETE /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 2422. DELETE /reference_data/map_of_sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to remove or purge
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference map of sets
should have its
contents purged (true),
keeping the reference
map of sets structure. If
the value is "false" or
not specified the
reference map of sets
will be removed
completely.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 1203

 Table 2423. DELETE /reference_data/map_of_sets/{name} response codes
HTTP Response
Code Unique Code Description
202 The Reference Data Map of Sets deletion or purge
request has been accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference map of sets

Response Description

A status_id to retrieve the Reference Data Map of Sets deletion or purge status
with at /api/system/task_management/task/{status_id}. You can also find the url
in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,

1204 QRadar API Reference Guide

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/map_of_sets/{name}/dependents
DEPRECATED
Retrieves the dependents of the Map of Sets.

Initiates the retrieval of dependents of the Map of Sets

Table 2424. GET /reference_data/map_of_sets/{name}/dependents resource details
MIME Type
application/json

Table 2425. GET /reference_data/map_of_sets/{name}/dependents request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets retrieve dependents
for
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2426. GET /reference_data/map_of_sets/{name}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Map of Sets dependent retrieval
request has been accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the
dependents for the reference map of sets

Chapter 7. Previous REST API versions 1205

 Response Description

A status_id to retrieve the Reference Data Map of Sets dependent retrieval status
with at /api/system/task_management/task/{status_id}. You can also find the url
in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

1206 QRadar API Reference Guide

DELETE /reference_data/map_of_sets/{name}/value/{key}
DEPRECATED
Remove a value from a reference map of sets.
Table 2427. DELETE /reference_data/map_of_sets/{name}/value/{key} resource details
MIME Type
application/json

Table 2428. DELETE /reference_data/map_of_sets/{name}/value/{key} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to remove a value
from
key path Required String text/plain Required - The key of
the value to remove
value query Required String text/plain Required - The value to
remove from the
reference map of sets.
Note: Date values must
be represented in
milliseconds since the
Unix Epoch January 1st
1970.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2429. DELETE /reference_data/map_of_sets/{name}/value/{key} response codes

HTTP Response
Code Unique Code Description
200 The reference map of sets has had a value removed
404 1002 The reference map of sets does not exist
404 1003 The record does not exist in the reference map of
sets
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the
reference map of sets value

Chapter 7. Previous REST API versions 1207

 Response Description

Information about the reference map of sets that had a value removed. This returns
information about the reference map of sets but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

GET /reference_data/maps DEPRECATED

Retrieve a list of all reference maps.
Table 2430. GET /reference_data/maps resource details
MIME Type
application/json

Table 2431. GET /reference_data/maps request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2432. GET /reference_data/maps response codes

HTTP Response
Code Unique Code Description
200 The reference map list has been retrieved

1208 QRadar API Reference Guide

Table 2432. GET /reference_data/maps response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred while attempting to retrieve all of
the reference maps

Response Description

A list of all of the reference maps. This returns information about the maps but not
the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}
]

POST /reference_data/maps DEPRECATED

Create a new reference map.
Table 2433. POST /reference_data/maps resource details
MIME Type
application/json

Table 2434. POST /reference_data/maps request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference map to
create
key_label query Optional String text/plain Optional - The label to
describe the keys
value_label query Optional String text/plain Optional - The label to
describe the data values
element_type query Required String text/plain Required - The element
type for the values
allowed in the reference
map. The allowed values
are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented
in milliseconds since the
Unix Epoch January 1st
1970.

Chapter 7. Previous REST API versions 1209

 Table 2434. POST /reference_data/maps request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
timeout_type query Optional String text/plain Optional - The allowed
values are
"FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last
seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for
example: "1 month" or "5
minutes"
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2435. POST /reference_data/maps response codes

HTTP Response
Code Unique Code Description
201 A new reference map was successfully created
409 1004 The reference map could not be created, the name
provided is already in use. Please change the name
and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference map

Response Description

Information about the newly created reference map.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

1210 QRadar API Reference Guide

GET /reference_data/maps/{name} DEPRECATED
Retrieve the reference map identified by name.

Retrieve the reference map identified by name. If it is provided, limit specifies the
number of records to return starting at record that is specified by offset. If the
number is not specified, then the first 20 records are returned.
Table 2436. GET /reference_data/maps/{name} resource details
MIME Type
application/json

Table 2437. GET /reference_data/maps/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
retrieve
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2438. GET /reference_data/maps/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference map has been retrieved
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the
reference map

Chapter 7. Previous REST API versions 1211

 Response Description

The reference map identified by the name specified in the request. The portion of
the reference map's data returned is dependent on the limit and offset specified in
the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": {
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/maps/{name} DEPRECATED

Add or update an element in a reference map.
Table 2439. POST /reference_data/maps/{name} resource details
MIME Type
application/json

Table 2440. POST /reference_data/maps/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
add or update an
element in
key query Required String text/plain Required - The key
who's value we want to
add or update
value query Required String text/plain Required - The value to
add or update in the
reference map. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
source query Optional String text/plain Optional - An
indication of where the
data originated. The
default value is
'reference data api'

1212 QRadar API Reference Guide

Table 2440. POST /reference_data/maps/{name} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2441. POST /reference_data/maps/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference map has had an element added or
updated
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference map

Response Description

Information about the reference map that had an element added or updated. This
returns information about reference map but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

DELETE /reference_data/maps/{name} DEPRECATED

Remove a reference map or purge its contents.
Table 2442. DELETE /reference_data/maps/{name} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1213

 Table 2443. DELETE /reference_data/maps/{name} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
remove or purge
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference map should
have its contents
purged (true), keeping
the reference map
structure. If the value is
"false" or not specified
the reference map will
be removed completely.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2444. DELETE /reference_data/maps/{name} response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Maps deletion or purge request
has been accepted and is in progress
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference map

Response Description

A status_id to retrieve the Reference Data Maps deletion or purge status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],

1214 QRadar API Reference Guide

 "completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/maps/{name}/dependents DEPRECATED

Retrieves the dependents of the Map.
Table 2445. GET /reference_data/maps/{name}/dependents resource details
MIME Type
application/json

Table 2446. GET /reference_data/maps/{name}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map
retrieve dependents for

Chapter 7. Previous REST API versions 1215

 Table 2446. GET /reference_data/maps/{name}/dependents request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2447. GET /reference_data/maps/{name}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Maps dependent retrieval
request has been accepted and is in progress
404 1002 The reference Map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the
dependents for the reference map

Response Description

A status_id to retrieve the Reference Data Maps dependent retrieval status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,

1216 QRadar API Reference Guide

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/maps/{name}/value/{key} DEPRECATED

Remove a value from a reference map.
Table 2448. DELETE /reference_data/maps/{name}/value/{key} resource details
MIME Type
application/json

Table 2449. DELETE /reference_data/maps/{name}/value/{key} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
remove a value from
key path Required String text/plain Required - The key of
the value to remove
value query Required String text/plain Required - The value to
remove from the
reference map. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.

Chapter 7. Previous REST API versions 1217

 Table 2449. DELETE /reference_data/maps/{name}/value/{key} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2450. DELETE /reference_data/maps/{name}/value/{key} response codes

HTTP Response
Code Unique Code Description
200 The reference map has had a value removed
404 1002 The reference map does not exist
404 1003 The record does not exist in the reference map
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the
value from the reference map

Response Description

Information about the reference map that had an element removed. This returns
information about map but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

GET /reference_data/sets DEPRECATED

Retrieve a list of all reference sets.
Table 2451. GET /reference_data/sets resource details
MIME Type
application/json

1218 QRadar API Reference Guide

Table 2452. GET /reference_data/sets request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2453. GET /reference_data/sets response codes

HTTP Response
Code Unique Code Description
200 The reference set list has been retrieved
500 1020 An error occurred while attempting to retrieve all of
the reference sets

Response Description

A list of all of the reference sets. This returns information about the sets but not the
contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}
]

Chapter 7. Previous REST API versions 1219

 POST /reference_data/sets DEPRECATED
Create a new reference set.
Table 2454. POST /reference_data/sets resource details
MIME Type
application/json

Table 2455. POST /reference_data/sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference set being
created
element_type query Required String text/plain Required - The element
type for the values
allowed in the reference
set. The allowed values
are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented
in milliseconds since the
Unix Epoch January 1st
1970.
timeout_type query Optional String text/plain Optional - The allowed
values are
"FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last
seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for
example: "1 month" or "5
minutes"
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2456. POST /reference_data/sets response codes

HTTP Response
Code Unique Code Description
201 A new reference set was successfully created

1220 QRadar API Reference Guide

Table 2456. POST /reference_data/sets response codes (continued)
HTTP Response
Code Unique Code Description
409 1004 The reference set could not be created, the name
provided is already in use. Please change the name
and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference set

Response Description

Information about the newly created reference set.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/sets/{name} DEPRECATED

Retrieve the reference set identified by name.

Retrieve the reference set that is identified by name. If it is provided, limit

specifies the number of records to return starting at the record that is specified by
offset. If the number is not specified, then the first 20 records are returned.
Table 2457. GET /reference_data/sets/{name} resource details
MIME Type
application/json

Table 2458. GET /reference_data/sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference set to
retrieve
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 1221

 Table 2458. GET /reference_data/sets/{name} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2459. GET /reference_data/sets/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference set has been retrieved
404 1002 The reference set does not exist.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the
reference set

Response Description

The reference set identified by the name specified in the request. The portion of the
set's data returned is dependent on the limit and offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": [
{
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
],
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/sets/{name} DEPRECATED

Add or update an element in a reference set.
Table 2460. POST /reference_data/sets/{name} resource details
MIME Type
application/json

1222 QRadar API Reference Guide

Table 2461. POST /reference_data/sets/{name} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference set to add
or update an element in
value query Required String text/plain Required - The value to
add or update in the
reference set. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
source query Optional String text/plain Optional - An
indication of where the
data originated. The
default value is
'reference data api'
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2462. POST /reference_data/sets/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference set has had an element added or
updated
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update an element in the reference set

Response Description

Information about the reference set that had an element added or updated. This
returns information about the reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",

Chapter 7. Previous REST API versions 1223

 "number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

DELETE /reference_data/sets/{name} DEPRECATED

Remove a reference set or purge its contents.
Table 2463. DELETE /reference_data/sets/{name} resource details
MIME Type
application/json

Table 2464. DELETE /reference_data/sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the set to remove or
purge
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference set should
have its contents
purged (true), keeping
the reference set
structure. If the value is
"false" or not specified
the reference set will be
removed completely.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2465. DELETE /reference_data/sets/{name} response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Sets deletion or purge request
has been accepted and is in progress
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference set

1224 QRadar API Reference Guide

Response Description

A status_id to retrieve the Reference Data Sets deletion or purge status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

Chapter 7. Previous REST API versions 1225

 GET /reference_data/sets/{name}/dependents DEPRECATED
Retrieves the dependents of the set.
Table 2466. GET /reference_data/sets/{name}/dependents resource details
MIME Type
application/json

Table 2467. GET /reference_data/sets/{name}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the Reference Set
retrieve dependents for
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2468. GET /reference_data/sets/{name}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Sets dependent retrieval request
has been accepted and is in progress
404 1002 The Reference Set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the
dependents for the Reference Set

Response Description

A status_id to retrieve the Reference Data Sets dependent retrieval status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,

1226 QRadar API Reference Guide

 "message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/sets/{name}/value/{value} DEPRECATED

Remove a value from a reference set.
Table 2469. DELETE /reference_data/sets/{name}/value/{value} resource details
MIME Type
application/json

Table 2470. DELETE /reference_data/sets/{name}/value/{value} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference set to
remove a value from

Chapter 7. Previous REST API versions 1227

 Table 2470. DELETE /reference_data/sets/{name}/value/{value} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
value path Required String text/plain Required - The value to
remove from the
reference set. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2471. DELETE /reference_data/sets/{name}/value/{value} response codes

HTTP Response
Code Unique Code Description
200 The reference set that had a value removed
404 1002 The reference set does not exist
404 1003 The record does not exist in the reference set
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the
value from the reference set.

Response Description

Information about the reference set that had an value removed. This returns
information about the reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

1228 QRadar API Reference Guide

POST /reference_data/sets/bulk_load/{name} DEPRECATED
Add or update data in a reference set.
Table 2472. POST /reference_data/sets/bulk_load/{name} resource details
MIME Type
application/json

Table 2473. POST /reference_data/sets/bulk_load/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
set to add or update
data in
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2474. POST /reference_data/sets/bulk_load/{name} request body details

Parameter Data Type MIME Type Description Sample
data Array application/json Required - The JSON ["String", "String",
formated data to add or "String", "String",
update in the reference "String", "String",
set "String", "String",
"String", "String",
"String"]

Table 2475. POST /reference_data/sets/bulk_load/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference set has had data added or updated
400 1001 An error occurred parsing the JSON formatted
message body
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference set

Response Description

Information about the reference set that had data added or updated. This returns
information about the reference set but not the contained data.

Chapter 7. Previous REST API versions 1229

 Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/tables DEPRECATED

Retrieve a list of all reference tables.
Table 2476. GET /reference_data/tables resource details
MIME Type
application/json

Table 2477. GET /reference_data/tables request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2478. GET /reference_data/tables response codes

HTTP Response
Code Unique Code Description
200 The reference table list has been retrieved
500 1020 An error occurred while attempting to retrieve all of
the reference tables

1230 QRadar API Reference Guide

Response Description

A list of all of the reference tables. This returns information about the tables but
not the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}
]

POST /reference_data/tables DEPRECATED

Create a new reference table.
Table 2479. POST /reference_data/tables resource details
MIME Type
application/json

Table 2480. POST /reference_data/tables request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference table to
create
element_type query Required String text/plain Required - The default
element type for the
values allowed in the
reference table. This is
used when values are
added or updated in the
reference table who's
inner key was not defined
in the key_name_types
parameter. The allowed
values are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented in
milliseconds since the
Unix Epoch January 1st
1970.
outer_key_label query Optional String text/plain Optional - The label to
describe the outer keys
timeout_type query Optional String text/plain Optional - The allowed
values are "FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for example:
"1 month" or "5 minutes"

Chapter 7. Previous REST API versions 1231

 Table 2480. POST /reference_data/tables request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
key_name_types query Optional Array<Object> application/json Optional - A JSON
formatted string. This
array creates the inner key
names and corresponding
value types for the table
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 2481. POST /reference_data/tables response codes

HTTP Response
Code Unique Code Description
201 A new reference table was successfully created
409 1004 The reference table could not be created, the name
provided is already in use. Please change the name
and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference table

Response Description

Information about the newly created reference table.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/tables/{name} DEPRECATED

Return the reference table identified by name.

Return the reference table that is identified by name. If it is provided, limit

specifies the number of records to return starting at the record that is specified by
offset. If the number is not specified, then the first 20 records are returned.
Table 2482. GET /reference_data/tables/{name} resource details
MIME Type
application/json

1232 QRadar API Reference Guide

Table 2483. GET /reference_data/tables/{name} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
retrieve
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2484. GET /reference_data/tables/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference table has been retrieved
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the
reference table

Response Description

The reference table identified by the name specified in the request. The portion of
the reference table's data returned is dependent on the limit and offset specified in
the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": {
"String": {
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
}
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",

Chapter 7. Previous REST API versions 1233

 "key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/tables/{name} DEPRECATED

Add or update an element in a reference table.

Add or update an element in a reference table. The value to be added must be of

the appropriate type. Either the type that corresponds to the innerKey that is
predefined for the reference table, or the default elementType of the reference table
Table 2485. POST /reference_data/tables/{name} resource details
MIME Type
application/json

Table 2486. POST /reference_data/tables/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
add or update an
element in
outer_key query Required String text/plain Required - The outer
key for the element to
add or update
inner_key query Required String text/plain Required - The inner
key for the element to
add or update
value query Required String text/plain Required - The value to
add or update in the
reference table. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
source query Optional String text/plain Optional - An
indication of where the
data originated. The
default value is
'reference data api'

1234 QRadar API Reference Guide

Table 2486. POST /reference_data/tables/{name} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2487. POST /reference_data/tables/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference table has had an element added or
updated
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference table

Response Description

Information about the reference table that had an element added or updated. This
returns information about the reference table but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

DELETE /reference_data/tables/{name} DEPRECATED

Remove a reference table or purge its contents.
Table 2488. DELETE /reference_data/tables/{name} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1235

 Table 2489. DELETE /reference_data/tables/{name} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
remove or purge
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference table should
have its contents
purged (true), keeping
the reference table
structure. If the value is
"false" or not specified
the reference table will
be removed completely.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2490. DELETE /reference_data/tables/{name} response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Tables deletion or purge request
has been accepted and is in progress
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference table

Response Description

A status_id to retrieve the Reference Data Tables deletion or purge status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],

1236 QRadar API Reference Guide

 "completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/tables/{name}/dependents DEPRECATED

Retrieves the dependents of the Table.
Table 2491. GET /reference_data/tables/{name}/dependents resource details
MIME Type
application/json

Table 2492. GET /reference_data/tables/{name}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets retrieve dependents
for

Chapter 7. Previous REST API versions 1237

 Table 2492. GET /reference_data/tables/{name}/dependents request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2493. GET /reference_data/tables/{name}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Tables dependent retrieval
request has been accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the
dependents for the reference map of sets

Response Description

A status_id to retrieve the Reference Data Tables dependent retrieval status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,

1238 QRadar API Reference Guide

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/tables/{name}/value/{outer_key}/
{inner_key} DEPRECATED
Remove a value from a reference table.
Table 2494. DELETE /reference_data/tables/{name}/value/{outer_key}/{inner_key} resource
details
MIME Type
application/json

Table 2495. DELETE /reference_data/tables/{name}/value/{outer_key}/{inner_key} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
remove a value from
outer_key path Required String text/plain Required - The outer
key of the value to
remove
inner_key path Required String text/plain Required - The inner
key of the value to
remove

Chapter 7. Previous REST API versions 1239

 Table 2495. DELETE /reference_data/tables/{name}/value/{outer_key}/{inner_key} request
parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
value query Required String text/plain Required - The value to
remove from the
reference table. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2496. DELETE /reference_data/tables/{name}/value/{outer_key}/{inner_key} response

codes
HTTP Response
Code Unique Code Description
200 The reference table had had a value removed
404 1002 The reference table does not exist
404 1003 The record does not exist in the reference table
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the
reference table value

Response Description

Information about the reference table that had an element removed. This returns
information about table but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

1240 QRadar API Reference Guide

Scanner endpoints
Use the references for REST API V6.0 scanner endpoints.

GET /scanner/profiles DEPRECATED

Retrieves all of the currently created scan profiles.

No parameters are required and the following information should be retrieved for
each scan profile.
v scanProfileId
v scanProfileName
v description
v scanType
v scannerName
Table 2497. GET /scanner/profiles resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 2498. GET /scanner/profiles response codes
HTTP Response
Code Unique Code Description
200 The list of scan profiles was successfully returned
500 1030 Occurs when an attempt is made to list scan profiles
when certain conditions are not met, or when too
many scan requests have been made

Response Description

The list of scan profiles currently configured in QVM

Response Sample

POST /scanner/profiles/create DEPRECATED

Initiates a request to create a new Scan Profile.

The request takes one parameter - createScanRequest, which is just a POJO. To

create the scan, you will need to build up a JSON object that contains the Scan
Profile name and IP addresses to scan. For example:
{name:New Scan Profile, ips:[10.100.85.135]}
Table 2499. POST /scanner/profiles/create resource details
MIME Type
text/plain

Table 2500. POST /scanner/profiles/create request body details

Parameter Data Type MIME Type Description Sample
scanProfile JSON application/json null null

Chapter 7. Previous REST API versions 1241

 Table 2501. POST /scanner/profiles/create response codes
HTTP Response
Code Unique Code Description
200 The scan has been successfully created
419 9101 Occurs when a parameter is missing or invalid
500 1030 Occurs when an attempt is made to create a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been created successfully or not.

Response Sample
String

POST /scanner/profiles/start DEPRECATED

Initiates a request to start an already created scanProfile.

The request takes one parameter - scanProfileId. To get a list of scanProfileIds, get
a list of the current scan profiles by initiating a 'profiles' request on the scanner
endpoint. The scanProfileId is validated and an appropriate message is returned.
Table 2502. POST /scanner/profiles/start resource details
MIME Type
text/plain

Table 2503. POST /scanner/profiles/start request parameter details

Parameter Type Optionality Data Type MIME Type Description
scanProfileId query Required String text/plain The unique id of the
scan profile we want to
start

Table 2504. POST /scanner/profiles/start response codes

HTTP Response
Code Unique Code Description
200 The scan has been successfully started
403 1000 Occurs if the user does not have permission to start
a scan, or the scan is in progress
500 1030 Occurs when an attempt is made to start a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been started successfully or not.

Response Sample
String

1242 QRadar API Reference Guide

GET /scanner/scanprofiles DEPRECATED
Retrieves all of the currently created scan profiles.

No parameters are required and the following information should be retrieved for
each scan profile.
v scanProfileId
v scanProfileName
v description
v scanType
v scannerName
v schedule
v status
v progress
v endTime
v duration
Table 2505. GET /scanner/scanprofiles resource details
MIME Type
application/json

Table 2506. GET /scanner/scanprofiles request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2507. GET /scanner/scanprofiles response codes

HTTP Response
Code Unique Code Description
200 The list of scan profiles was successfully returned

Chapter 7. Previous REST API versions 1243

 Table 2507. GET /scanner/scanprofiles response codes (continued)
HTTP Response
Code Unique Code Description
500 1030 Occurs when an attempt is made to list scan profiles
when certain conditions are not met, or when too
many scan requests have been made

Response Description

The list of scan profiles currently configured in QVM

Response Sample
[
{
"description": "String",
"duration": {
"days": 42,
"hours": 42,
"minutes": 42,
"months": 42,
"seconds": 42.5,
"type": "String",
"value": "String",
"years": 42
},
"endTime": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezoneOffset": 42,
"year": 42
},
"progress": 42,
"scanProfileId": 42,
"scanProfileName": "String",
"scanType": "String",
"scannerName": "String",
"schedule": "String",
"status": "String"
}
]

POST /scanner/scanprofiles DEPRECATED

Initiates a request to create a new scanProfile.

The request takes one parameter - createScanRequest, which is just a POJO. To

create the scan, you will need to build up a JSON object that contains the Scan
Profile name and hosts to scan. For example:
{name:New Scan Profile, hosts:[10.100.85.135]}
Table 2508. POST /scanner/scanprofiles resource details
MIME Type
text/plain

1244 QRadar API Reference Guide

Table 2509. POST /scanner/scanprofiles request body details
Parameter Data Type MIME Type Description Sample
scanProfile Object application/json null { "description": "String",
"hosts": [ "String" ],
"name": "String" }

Table 2510. POST /scanner/scanprofiles response codes

HTTP Response
Code Unique Code Description
200 The scan has been successfully created
500 1030 Occurs when an attempt is made to create a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been created successfully or not.

Response Sample
String

GET /scanner/scanprofiles/{profileid} DEPRECATED

Retrieves a scan profile for a given Scan Profile ID.

No parameters are required and the following information should be retrieved for
each scan profile.
v scanProfileId
v name
v description
v scanType
v scannerName
v schedule
v status
v progress
v endTime
v duration
Table 2511. GET /scanner/scanprofiles/{profileid} resource details
MIME Type
application/json

Table 2512. GET /scanner/scanprofiles/{profileid} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain The unique id of the
scan profile we need to
retrieve information for

Chapter 7. Previous REST API versions 1245

 Table 2512. GET /scanner/scanprofiles/{profileid} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2513. GET /scanner/scanprofiles/{profileid} response codes

HTTP Response
Code Unique Code Description
200 The scan profile was successfully returned
500 1030 Occurs when an attempt is made to list a scan
profile when certain conditions are not met, or when
too many scan requests have been made

Response Description

The list of scan profiles currently configured in QVM

Response Sample
[
{
"description": "String",
"duration": {
"days": 42,
"hours": 42,
"minutes": 42,
"months": 42,
"seconds": 42.5,
"type": "String",
"value": "String",
"years": 42
},
"endTime": {
"date": 42,
"day": 42,

1246 QRadar API Reference Guide

 "hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezoneOffset": 42,
"year": 42
},
"progress": 42,
"scanProfileId": 42,
"scanProfileName": "String",
"scanType": "String",
"scannerName": "String",
"schedule": "String",
"status": "String"
}
]

POST /scanner/scanprofiles/{profileid} DEPRECATED

Update a scan profile. The Scan Profile ID is required.

The following information on a scan profile can be updated:

v name
v description
v IP addresses

For example:
{name:Updated Scan Profile, ips:[10.100.85.135]}
Table 2514. POST /scanner/scanprofiles/{profileid} resource details
MIME Type
application/json

Table 2515. POST /scanner/scanprofiles/{profileid} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain The unique id of the
scan profile used to
update

Table 2516. POST /scanner/scanprofiles/{profileid} request body details

Parameter Data Type MIME Type Description Sample
scanProfile JSON application/json null null

Table 2517. POST /scanner/scanprofiles/{profileid} response codes

HTTP Response
Code Unique Code Description
202 The scan profile was successfully updated
500 1030 Occurs when an attempt is made to update a scan
profile when certain conditions are not met, or when
too many scan requests have been made

Chapter 7. Previous REST API versions 1247

 Response Description

A message to indicate whether the scan profile has updated or not.

Response Sample

DELETE /scanner/scanprofiles/{profileid} DEPRECATED

Initiates a request to delete a scanProfile.

The request takes one parameter - the Scan Profile ID.

Table 2518. DELETE /scanner/scanprofiles/{profileid} resource details
MIME Type
text/plain

Table 2519. DELETE /scanner/scanprofiles/{profileid} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain null

Table 2520. DELETE /scanner/scanprofiles/{profileid} response codes

HTTP Response
Code Unique Code Description
204 The scan has been successfully deleted
500 1030 Occurs when an attempt is made to delete a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been deleted successfully or not.

Response Sample
String

POST /scanner/scanprofiles/{profileid}/start DEPRECATED

Initiates a request to start an already created scanProfile.

The request takes one parameter, scanProfileId, and one optional parameter, ips.
To get a list of scanProfileIds, simply get a list of the current scan profiles by
initiating a 'profiles' request on the scanner endpoint. The scanProfileId, is
validated and an appropriate message returned.
Table 2521. POST /scanner/scanprofiles/{profileid}/start resource details
MIME Type
text/plain

1248 QRadar API Reference Guide

 Table 2522. POST /scanner/scanprofiles/{profileid}/start request parameter details
MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain The unique id of the
scan profile we want to
start

Table 2523. POST /scanner/scanprofiles/{profileid}/start request body details

Parameter Data Type MIME Type Description Sample
ips JSON application/json null null

Table 2524. POST /scanner/scanprofiles/{profileid}/start response codes

HTTP Response
Code Unique Code Description
202 The scan has been successfully started
403 1000 Occurs if the user does not have permission to start
a scan, or the scan is in progress
500 1030 Occurs when an attempt is made to start a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been started successfully or not.

Response Sample
String

SIEM endpoints
Use the references for REST API V6.0 SIEM endpoints.

GET /siem/local_destination_addresses DEPRECATED

Retrieve a list offense local destination addresses currently in the system.
Table 2525. GET /siem/local_destination_addresses resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1249

 Table 2526. GET /siem/local_destination_addresses request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2527. GET /siem/local_destination_addresses response codes

HTTP Response
Code Unique Code Description
200 The local destination address list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the local destination
address list was being retrieved.

Response Description

An array of local destination address objects. A local destination address object

contains the following fields:
v id - Number - The ID of the destination address.
v local_destination_ip - String - The IP address.
v magnitude - Number - The magnitude of the destination address.
v network - String - The network of the destination address.
v offense_ids - Array of Numbers - List of offense IDs the destination address is
part of.
v source_address_ids - Array of Numbers - List of source address IDs associated
with the destination address.
v event_flow_count - Number - The number of events and flows that are
associated with the destination address.

1250 QRadar API Reference Guide

v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
[
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_ip": "String",
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_address_ids": [
42
]
}
]

GET /siem/local_destination_addresses/
{local_destination_address_id} DEPRECATED
Retrieve an offense local destination address.
Table 2528. GET /siem/local_destination_addresses/{local_destination_address_id} resource
details
MIME Type
application/json

Table 2529. GET /siem/local_destination_addresses/{local_destination_address_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
local_destination_address_id path Required Number text/plain Required - The ID of the
(Integer) local destination address
to retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2530. GET /siem/local_destination_addresses/{local_destination_address_id}

response codes
HTTP Response
Code Unique Code Description
200 The local destination was retrieved.

Chapter 7. Previous REST API versions 1251

 Table 2530. GET /siem/local_destination_addresses/{local_destination_address_id}
response codes (continued)
HTTP Response
Code Unique Code Description
404 1002 No local destination address was found for the
provided local_destination_address_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the local destination
address was being retrieved.

Response Description

A local destination address object. A local destination address object contains the
following fields:
v id - Number - The ID of the destination address.
v local_destination_ip - String - The IP address.
v magnitude - Number - The magnitude of the destination address.
v network - String - The network of the destination address.
v offense_ids - Array of Numbers - List of offense IDs the destination address is
part of.
v source_address_ids - Array of Numbers - List of source address IDs associated
with the destination address.
v event_flow_count - Number - The number of events and flows that are
associated with the destination address.
v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_ip": "String",
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_address_ids": [
42
]
}

1252 QRadar API Reference Guide

GET /siem/offense_closing_reasons DEPRECATED
Retrieve a list of all offense closing reasons.
Table 2531. GET /siem/offense_closing_reasons resource details
MIME Type
application/json

Table 2532. GET /siem/offense_closing_reasons request parameter details

MIME
Parameter Type Optionality Data Type Type Description
include_reserved query Optional Boolean text/plain Optional - If true,
reserved closing
reasons are included in
the response. Defaults
to false. Reserved
closing reasons cannot
be used to close an
offense.
include_deleted query Optional Boolean text/plain Optional - If true,
deleted closing reasons
are included in the
response. Defaults to
false. Deleted closing
reasons cannot be used
to close an offense.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict
the number of elements
that are returned in the
list to a specified
range. The list is
indexed starting at
zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2533. GET /siem/offense_closing_reasons response codes

HTTP Response
Code Unique Code Description
200 The closing reasons list was retrieved.
500 1020 An error occurred while the closing reasons list was
being retrieved.

Chapter 7. Previous REST API versions 1253

 Response Description

An array of ClosingReason objects. A closing reason object contains the following

fields:
v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted
closing reasons cannot be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved.
Reserved closing reasons cannot be used to close an offense.

Response Sample
[
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}
]

POST /siem/offense_closing_reasons DEPRECATED

Create an offense closing reason.
Table 2534. POST /siem/offense_closing_reasons resource details
MIME Type
application/json

Table 2535. POST /siem/offense_closing_reasons request parameter details

MIME
Parameter Type Optionality Data Type Type Description
reason query Required String text/plain Required - The text of
the offense closing
reason must be 5 - 60
characters in length.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2536. POST /siem/offense_closing_reasons response codes

HTTP Response
Code Unique Code Description
201 The closing reason was created.
409 1004 The closing reason already exists.
422 1005 A request parameter is not valid.

1254 QRadar API Reference Guide

Table 2536. POST /siem/offense_closing_reasons response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred while attempting to create the
closing reason.

Response Description

A ClosingReason object. A closing reason object contains the following fields:

v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted
closing reasons cannot be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved.
Reserved closing reasons cannot be used to close an offense.

Response Sample
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}

GET /siem/offense_closing_reasons/{closing_reason_id}
DEPRECATED
Retrieve an offense closing reason.
Table 2537. GET /siem/offense_closing_reasons/{closing_reason_id} resource details
MIME Type
application/json

Table 2538. GET /siem/offense_closing_reasons/{closing_reason_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
closing_reason_id path Required Number text/plain Required - The closing
(Integer) reason ID.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2539. GET /siem/offense_closing_reasons/{closing_reason_id} response codes

HTTP Response
Code Unique Code Description
200 The closing reason was retrieved.

Chapter 7. Previous REST API versions 1255

 Table 2539. GET /siem/offense_closing_reasons/{closing_reason_id} response
codes (continued)
HTTP Response
Code Unique Code Description
404 1002 No closing reason was found for the provided
closing_reason_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
closing reason.

Response Description

A ClosingReason object. A closing reason object contains the following fields:

v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted
closing reasons cannot be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved.
Reserved closing reasons cannot be used to close an offense.

Response Sample
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}

GET /siem/offense_types DEPRECATED

Retrieve all the Offense Types

Retrieve all Offense Types

Table 2540. GET /siem/offense_types resource details
MIME Type
application/json

Table 2541. GET /siem/offense_types request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

1256 QRadar API Reference Guide

Table 2541. GET /siem/offense_types request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
sort query Optional String text/plain Optional - This
parameter is used to
sort the elements in a
list.

Table 2542. GET /siem/offense_types response codes

HTTP Response
Code Unique Code Description
200 The requested offense types list has been retrieved.
422 1005 A request parameter is not valid.
422 1012 The selected field cannot be used for sorting or it
does not exist.
500 1020 An error occurred while attempting to retrieve the
offense type list.

Response Description

The Offense Types that exist at the moment. Offense types may include custom
flow/event properties only if they have been selected as part of a rule action or
rule response limiter.
v id - Number - The ID of the offense type and what is presented in the offense's
offense_type.
v property_name - String - The name of the event or flow property represented by
this offense type for flow or event properties or the unique identifier for custom
flow or event properties.
v name - String - The offense type's name.
v database_type - String - Database where this type is present. Possible values are:
EVENTS, FLOWS, or COMMON (if it belongs to both events and flows)
v custom - boolean - True if the offense type is based on a custom flow or event
property.
The following field can be sorted on: id.

Chapter 7. Previous REST API versions 1257

 Response Sample
[
{
"custom": true,
"database_type": "String <one of: EVENTS,
FLOWS,
COMMON>",
"id": 42,
"name": "String",
"property_name": "String"
}
]

GET /siem/offense_types/{offense_type_id} DEPRECATED

Retrieve an offense type structure that describes the properties of an offense type.

Retrieve an Offense Type

Table 2543. GET /siem/offense_types/{offense_type_id} resource details
MIME Type
application/json

Table 2544. GET /siem/offense_types/{offense_type_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
offense_type_id path Required Number text/plain Required - int - The
(Integer) offense type id.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2545. GET /siem/offense_types/{offense_type_id} response codes

HTTP Response
Code Unique Code Description
200 The requested offense type has been retrieved.
404 1002 The requested offense type cannot be found.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
requested offense type.

Response Description

The Offense Type with the entered offense_type_id.

v id - Number - The ID of the offense type and what is presented in the offense's
offense_type.
v property_name - String - The name of the of the event or flow property
represented by this offense type for flow or event properties or the unique
identifier for custom flow or event properties.

1258 QRadar API Reference Guide

v name - String - The offense type's name.
v database_type - String - Database where this type is present. Possible values are:
EVENTS, FLOWS, or COMMON (if it belongs to both events and flows)
v custom - boolean - True if the offense type is based on a custom flow or event
property.

Response Sample
{
"custom": true,
"database_type": "String <one of: EVENTS,
FLOWS,
COMMON>",
"id": 42,
"name": "String",
"property_name": "String"
}

GET /siem/offenses DEPRECATED

Retrieve a list of offenses currently in the system.

Retrieve a list of offenses currently in the system.

Table 2546. GET /siem/offenses resource details
MIME Type
application/json

Table 2547. GET /siem/offenses request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Chapter 7. Previous REST API versions 1259

 Table 2548. GET /siem/offenses response codes
HTTP Response
Code Unique Code Description
200 The offense list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the offense list was being
retrieved.

Response Description

An array of Offense objects. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense. Filtering is not supported
on this field.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the
offense.
v category_count - Number - The number of event categories that are associated
with the offense.
v policy_category_count - Number - The number of policy event categories that
are associated with the offense.
v security_category_count - Number - The number of security event categories
that are associated with the offense.
v close_time - Number - The number of milliseconds since epoch when the
offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason
the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are
associated with the offense.
v source_network - String - The source network that is associated with the offense.
Filtering is not supported on this field.
v device_count - Number - The number of devices that are associated with the
offense.
v event_count - Number - The number of events that are associated with the
offense.
v flow_count - Number - The number of flows that are associated with the
offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when
the offense was last updated.
v local_destination_count - Number - The number of local destinations that are
associated with the offense.

1260 QRadar API Reference Guide

v offense_source - String - The source of the offense. Filtering is not supported on
this field.
v offense_type - Number - A number that represents the offense type. Use GET
/siem/offense_types to retrieve the list.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that
are associated wit the offense.
v source_count - Number - The number of sources that are associated with the
offense.
v start_time - Number - The number of milliseconds since epoch when the offense
was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or
"CLOSED". The following operators are not supported when you filter on this
field: "<", ">", "<=", ">=", "BETWEEN".
v username_count - The number of usernames that are associated with the
offense.
v source_address_ids - Array of numbers -The source address IDs that are
associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination
address IDs that are associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is
associated with a single domain.

Response Sample
[{"credibility": 42,
"source_address_ids": [42],
"remote_destination_count": 42,
"local_destination_address_ids": [42],
"assigned_to": "String",
"local_destination_count": 42,
"source_count": 42,
"start_time": 42,
"id": 42,
"destination_networks": ["String"],
"inactive": true,
"protected": true,
"policy_category_count": 42,
"description": "String",
"category_count": 42,
"domain_id": 42,
"relevance": 42,
"device_count": 42,
"security_category_count": 42,
"flow_count": 42,
"event_count": 42,
"offense_source": "String",
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"magnitude": 42,
"severity": 42,
"username_count": 42,
"closing_user": "String",
"follow_up": true,
"closing_reason_id": 42,
"close_time": 42,
"source_network": "String",

Chapter 7. Previous REST API versions 1261

 "last_updated_time": 42,
"categories": ["String"],
"offense_type": 42
}]

GET /siem/offenses/{offense_id} DEPRECATED

Retrieve an offense structure that describes properties of an offense

Retrieve an offense structure that describes properties of an offense

Table 2549. GET /siem/offenses/{offense_id} resource details
MIME Type
application/json

Table 2550. GET /siem/offenses/{offense_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2551. GET /siem/offenses/{offense_id} response codes

HTTP Response
Code Unique Code Description
200 The offense was retrieved.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the offense was being
retrieved.

Response Description

An Offense object. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the
offense.
v category_count - Number - The number of event categories that are associated
with the offense.
v policy_category_count - Number - The number of policy event categories that
are associated with the offense.
1262 QRadar API Reference Guide
v security_category_count - Number - The number of security event categories
that are associated with the offense.
v close_time - Number - The number of milliseconds since epoch when the
offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason
the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are
associated with the offense.
v source_network - String - The source network that is associated with the offense.
v device_count - Number - The number of devices that are associated with the
offense.
v event_count - Number - The number of events that are associated with the
offense.
v flow_count - Number - The number of flows that are associated with the
offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when
the offense was last updated.
v local_destination_count - Number - The number of local destinations that are
associated with the offense.
v offense_source - String - The source of the offense.
v offense_type - Number - A number that represents the offense type. Use GET
/siem/offense_types to retrieve the list.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that
are associated wit the offense.
v source_count - Number - The number of sources that are associated with the
offense.
v start_time - Number - The number of milliseconds since epoch when the offense
was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or
"CLOSED".
v username_count - The number of usernames that are associated with the
offense.
v source_address_ids - Array of numbers -The source address IDs that are
associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination
address IDs that are associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is
associated with a single domain.

Chapter 7. Previous REST API versions 1263

 Response Sample
{
"assigned_to": "String",
"categories": [
"String"
],
"category_count": 42,
"close_time": 42,
"closing_reason_id": 42,
"closing_user": "String",
"credibility": 42,
"description": "String",
"destination_networks": [
"String"
],
"device_count": 42,
"domain_id": 42,
"event_count": 42,
"flow_count": 42,
"follow_up": true,
"id": 42,
"inactive": true,
"last_updated_time": 42,
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"magnitude": 42,
"offense_source": "String",
"offense_type": 42,
"policy_category_count": 42,
"protected": true,
"relevance": 42,
"remote_destination_count": 42,
"security_category_count": 42,
"severity": 42,
"source_address_ids": [
42
],
"source_count": 42,
"source_network": "String",
"start_time": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"username_count": 42
}

POST /siem/offenses/{offense_id} DEPRECATED

Update an offense.
Table 2552. POST /siem/offenses/{offense_id} resource details
MIME Type
application/json

Table 2553. POST /siem/offenses/{offense_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The ID of
(Integer) the offense to update.
protected query Optional Boolean text/plain Optional - Set to true
to protect the offense.

1264 QRadar API Reference Guide

Table 2553. POST /siem/offenses/{offense_id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
follow_up query Optional Boolean text/plain Optional - Set to true
to set the follow up
flag on the offense.
status query Optional String text/plain Optional - The new
status for the offense.
Set to one of: OPEN,
HIDDEN, CLOSED.
When the status of an
offense is being set to
CLOSED, a valid
closing_reason_id must
be provided. To hide
an offense, use the
HIDDEN status. To
show a previously
hidden offense, use the
OPEN status.
closing_reason_id query Optional Number text/plain Optional - The ID of a
(Integer) closing reason. You
must provide a valid
closing_reason_id
when you close an
offense.
assigned_to query Optional String text/plain Optional - A user to
assign the offense to.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2554. POST /siem/offenses/{offense_id} response codes

HTTP Response
Code Unique Code Description
200 The offense was updated.
403 1009 User does not have the required capability to assign an
offense.
404 1002 No offense was found for the provided offense_id.
409 1008 Request cannot be completed due to the state of the
offense.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the offense was being updated.

Response Description

An updated Offense object. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense.
v assigned_to - String - The user the offense is assigned to.

Chapter 7. Previous REST API versions 1265

 v categories - Array of strings - Event categories that are associated with the
offense.
v category_count - Number - The number of event categories that are associated
with the offense.
v policy_category_count - Number - The number of policy event categories that
are associated with the offense.
v security_category_count - Number - The number of security event categories
that are associated with the offense.
v close_time - Number - The number of milliseconds since epoch when the
offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason
the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are
associated with the offense.
v source_network - String - The source network that is associated with the offense.
v device_count - Number - The number of devices that are associated with the
offense.
v event_count - Number - The number of events that are associated with the
offense.
v flow_count - Number - The number of flows that are associated with the
offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when
the offense was last updated.
v local_destination_count - Number - The number of local destinations that are
associated with the offense.
v offense_source - String - The source of the offense.
v offense_type - Number - A number that represents the offense type. See the
Offense Type Codes table for the code to offense type mapping.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that
are associated wit the offense.
v source_count - Number - The number of sources that are associated with the
offense.
v start_time - Number - The number of milliseconds since epoch when the offense
was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or
"CLOSED".
v username_count - The number of usernames that are associated with the
offense.
v source_address_ids - Array of numbers -The source address IDs that are
associated with the offense.

1266 QRadar API Reference Guide

v local_destination_address_ids - Array of numbers - The local destination
address IDs that are associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is
associated with a single domain.
Table 2555. Offense Type Codes
Code Offense Type
0 Source IP
1 Destination IP
2 Event Name
3 Username
4 Source MAC Address
5 Destination MAC Address
6 Log Source
7 Hostname
8 Source Port
9 Destination Port
10 Source IPv6
11 Destination IPv6
12 Source ASN
13 Destination ASN
14 Rule
15 App Id
18 Scheduled Search

Response Sample
{
"assigned_to": "String",
"categories": [
"String"
],
"category_count": 42,
"close_time": 42,
"closing_reason_id": 42,
"closing_user": "String",
"credibility": 42,
"description": "String",
"destination_networks": [
"String"
],
"device_count": 42,
"domain_id": 42,
"event_count": 42,
"flow_count": 42,
"follow_up": true,
"id": 42,
"inactive": true,
"last_updated_time": 42,
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"magnitude": 42,
"offense_source": "String",

Chapter 7. Previous REST API versions 1267

 "offense_type": 42,
"policy_category_count": 42,
"protected": true,
"relevance": 42,
"remote_destination_count": 42,
"security_category_count": 42,
"severity": 42,
"source_address_ids": [
42
],
"source_count": 42,
"source_network": "String",
"start_time": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"username_count": 42
}

GET /siem/offenses/{offense_id}/notes DEPRECATED

Retrieve a list of notes for an offense.
Table 2556. GET /siem/offenses/{offense_id}/notes resource details
MIME Type
application/json

Table 2557. GET /siem/offenses/{offense_id}/notes request parameter details

MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID to retrieve the notes
for.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

1268 QRadar API Reference Guide

Table 2558. GET /siem/offenses/{offense_id}/notes response codes
HTTP Response
Code Unique Code Description
200 The note list was retrieved.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the note list was being
retrieved.

Response Description

An array of Note objects. A Note object contains the following fields:

v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note
was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
[
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}
]

POST /siem/offenses/{offense_id}/notes DEPRECATED

Create a note on an offense.
Table 2559. POST /siem/offenses/{offense_id}/notes resource details
MIME Type
application/json

Table 2560. POST /siem/offenses/{offense_id}/notes request parameter details

MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID to add the note to.
note_text query Required String text/plain Required - The note
text.

Chapter 7. Previous REST API versions 1269

 Table 2560. POST /siem/offenses/{offense_id}/notes request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2561. POST /siem/offenses/{offense_id}/notes response codes

HTTP Response
Code Unique Code Description
201 The note was created.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to create the
note.

Response Description

The Note object that was created. A Note object contains the following fields:
v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note
was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}

GET /siem/offenses/{offense_id}/notes/{note_id} DEPRECATED

Retrieve a note for an offense.
Table 2562. GET /siem/offenses/{offense_id}/notes/{note_id} resource details
MIME Type
application/json

1270 QRadar API Reference Guide

Table 2563. GET /siem/offenses/{offense_id}/notes/{note_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID to retrieve the note
from.
note_id path Required Number text/plain Required - The note ID.
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2564. GET /siem/offenses/{offense_id}/notes/{note_id} response codes

HTTP Response
Code Unique Code Description
200 The note was retrieved.
404 1002 No offense was found for the provided offense_id.
404 1003 No note was found for the provided note_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
note.

Response Description

The Note object for the note ID. A Note object contains the following fields:
v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note
was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}

Chapter 7. Previous REST API versions 1271

 GET /siem/source_addresses DEPRECATED
Retrieve a list offense source addresses currently in the system.
Table 2565. GET /siem/source_addresses resource details
MIME Type
application/json

Table 2566. GET /siem/source_addresses request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2567. GET /siem/source_addresses response codes

HTTP Response
Code Unique Code Description
200 The source address list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the source address list was
being retrieved.

Response Description

An array of source address objects. A source address object contains the following
fields:
v id - Number - The ID of the source.
v source_ip - String - The IP address.
v magnitude - Number - The magnitude of the source address.
v network - String - The network of the source address.

1272 QRadar API Reference Guide

v offense_ids - Array of Numbers - List of offense IDs the source is part of.
v local_destination_address_ids - Array of Numbers - List of local destination
address IDs associated with the source address.
v event_flow_count - Number - The number of events and flows that are
associated with the source.
v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
[
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_address_ids": [
42
],
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_ip": "String"
}
]

GET /siem/source_addresses/{source_address_id} DEPRECATED

Retrieve an offense source address.
Table 2568. GET /siem/source_addresses/{source_address_id} resource details
MIME Type
application/json

Table 2569. GET /siem/source_addresses/{source_address_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
source_address_id path Required Number text/plain Required - The ID of the
(Integer) source address to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Chapter 7. Previous REST API versions 1273

 Table 2570. GET /siem/source_addresses/{source_address_id} response codes
HTTP Response
Code Unique Code Description
200 The source address was retrieved.
404 1002 No source address was found for the provided
source_address_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the source address was
being retrieved.

Response Description

A source address object. A source address object contains the following fields:
v id - Number - The ID of the source.
v source_ip - String - The IP address.
v magnitude - Number - The magnitude of the source address.
v network - String - The network of the source address.
v offense_ids - Array of Numbers - List of offense IDs the source is part of.
v local_destination_address_ids - Array of Numbers - List of local destination
address IDs associated with the source address.
v event_flow_count - Number - The number of events and flows that are
associated with the source.
v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_address_ids": [
42
],
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_ip": "String"
}

System endpoints
Use the references for REST API V5 system endpoints.

1274 QRadar API Reference Guide

GET /system/servers DEPRECATED
Retrieve a list of all server hosts in the deployment.
Table 2571. GET /system/servers resource details
MIME Type
application/json

Table 2572. GET /system/servers request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2573. GET /system/servers response codes

HTTP Response
Code Unique Code Description
200 The requested list of server records has been
successfully retrieved.
500 1020 An error has occurred while trying to retrieve the
requested servers.

Response Description

A list of the servers. A server record contains the following fields:

v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Chapter 7. Previous REST API versions 1275

 Response Sample
[
{
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}
]

GET /system/servers/{server_id} DEPRECATED

Retrieve a server host based on the supplied server ID.
Table 2574. GET /system/servers/{server_id} resource details
MIME Type
application/json

Table 2575. GET /system/servers/{server_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2576. GET /system/servers/{server_id} response codes

HTTP Response
Code Unique Code Description
200 The requested server record has been retrieved.
404 1002 The requested server record with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the
requested server host with the given Id.

Response Description

A server record containing the following fields:

v email_server_address - String - email server address
v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server

1276 QRadar API Reference Guide

v status - String - The status of this server

Response Sample
{
"email_server_address": "String",
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}

POST /system/servers/{server_id} DEPRECATED

Updates an existing server.
Table 2577. POST /system/servers/{server_id} resource details
MIME Type
application/json

Table 2578. POST /system/servers/{server_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.

Table 2579. POST /system/servers/{server_id} request body details

Parameter Data Type MIME Type Description Sample
details Object application/json Required - A server {
details record "email_server_address":
containing the "String" }
following field:

email_server_address -
String - email server
address. Must be a
valid server address
that the server can
connect to through port
25.

Table 2580. POST /system/servers/{server_id} response codes

HTTP Response
Code Unique Code Description
200 The server record has been updated.
404 1002 The requested server record with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
422 1006 Cannot connect to the mail server address on port
25.
500 1020 An error has occurred while trying to retrieve the
requested server host with the given Id.

Chapter 7. Previous REST API versions 1277

 Response Description

The updated server record containing the following fields:

v email_server_address - String - email server address.
v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
{
"email_server_address": "String",
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}

GET /system/servers/{server_id}/firewall_rules DEPRECATED

Retrieve a list of access control firewall rules based on the supplied server ID.
Table 2581. GET /system/servers/{server_id}/firewall_rules resource details
MIME Type
application/json

Table 2582. GET /system/servers/{server_id}/firewall_rules request parameter details

MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

1278 QRadar API Reference Guide

Table 2583. GET /system/servers/{server_id}/firewall_rules response codes
HTTP Response
Code Unique Code Description
200 The rules records have been retrieved.
404 1002 The requested server with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the
requested access control firewall rules on the server
with the given Id.

Response Description

A list of the rules. Each rule record contains the following fields:
v is_any_source_ip - Boolean - Whether any source IP is accepted
v port_range - String - A port range in the format of start-end
v port_type - String - one of: ANY, SINGLE, RANGE
v protocol - String - one of: ANY, TCP, UDP
v single_port - String - A single port
v source_ip - String - A specific IP address

Response Sample
[
{
"is_any_source_ip": true,
"port_range": "String",
"port_type": "String <one of: ANY, SINGLE, RANGE>",
"protocol": "String <one of: ANY, TCP, UDP>",
"single_port": "String",
"source_ip": "String"
}
]

PUT /system/servers/{server_id}/firewall_rules DEPRECATED

Set the access control firewall rules based on the supplied server ID.
Table 2584. PUT /system/servers/{server_id}/firewall_rules resource details
MIME Type
application/json

Table 2585. PUT /system/servers/{server_id}/firewall_rules request parameter details

MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.

Chapter 7. Previous REST API versions 1279

 Table 2586. PUT /system/servers/{server_id}/firewall_rules request body details
Parameter Data Type MIME Type Description Sample
rules Array<Object> application/json Required - A list of new [ { "is_any_source_ip":
rules in a JSON string. true, "port_range":
Each rule record "String", "port_type":
contains the following "String <one of: ANY,
field: SINGLE, RANGE>",
v is_any_source_ip - "protocol": "String <one
Boolean - Whether of: ANY, TCP, UDP>",
"single_port": "String",
any source IP is
"source_ip": "String" } ]
accepted
v port_range - String -
A port range in the
format of start-end
v port_type - String -
one of: ANY,
SINGLE, RANGE
v protocol - String -
one of: ANY, TCP,
UDP
v single_port - String -
A single port
v source_ip - String - A
specific IP address.

Table 2587. PUT /system/servers/{server_id}/firewall_rules response codes

HTTP Response
Code Unique Code Description
200 The rules have been updated.
404 1002 The requested server with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to set the access
control firewall rules on the server with the given Id.

Response Description

A list of the rules in a JSON string. Each rule contains the following fields:
v is_any_source_ip - Boolean - Whether any source IP is accepted
v port_range - String - A port range in the format of start-end
v port_type - String - one of: ANY, SINGLE, RANGE
v protocol - String - one of: ANY, TCP, UDP
v single_port - String - A single port
v source_ip - String - A specific IP address

Response Sample
[
{
"is_any_source_ip": true,
"port_range": "String",
"port_type": "String <one of: ANY, SINGLE, RANGE>",
"protocol": "String <one of: ANY, TCP, UDP>",
"single_port": "String",
"source_ip": "String"
}
]

1280 QRadar API Reference Guide

GET /system/servers/{server_id}/network_interfaces/ethernet
DEPRECATED
Retrieves a list of the ethernet network interfaces based on the supplied server ID.
Table 2588. GET /system/servers/{server_id}/network_interfaces/ethernet resource details
MIME Type
application/json

Table 2589. GET /system/servers/{server_id}/network_interfaces/ethernet request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2590. GET /system/servers/{server_id}/network_interfaces/ethernet response codes

HTTP Response
Code Unique Code Description
200 A list of the ethernet network interfaces were
retrieved.
404 1002 The requested server with the given server ID
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to retrieve the
ethernet interfaces on the server with the given ID.
500 1022 Timeout while performing the task.

Chapter 7. Previous REST API versions 1281

 Response Description

A list of the ethernet network interfaces. Each ethernet network interface contains
the following fields:
v device_name - String - The name of the network interface.
v desc - String - The description of the network interface.
v role - String - The role of the network interface. One of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the
network interface. One of: ipv4, ipv6.
v ip - String - The IP that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface
v is_auto_ip - Boolean - Is the IP auto-configured?
v is_cable_linked - String - Is the network interface cable linked? One of: true,
false, unknown.
v is_moving_config_with_active_ha - Boolean -Applies the same settings to a new
active HA server during failover.
v hacrossover_params - String - A map of key-value pairs of HA crossover
parameters if the network interface is used for HA crossover.

Response Sample
[
{
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]

POST /system/servers/{server_id}/network_interfaces/ethernet/
{device_name} DEPRECATED
Updates an ethernet network interface based on the suppied server_Id and
device_name.
Table 2591. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}
resource details
MIME Type
application/json

1282 QRadar API Reference Guide

Table 2592. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}
request parameter details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The ID of
(Integer) the server.
device_name path Required String text/plain Required - The name
of an existing
ethernet network
interface. The
interface cannot be
the management
interface, HA
crossover interface or
a slave of a bonded
interface. The
interface must be
cable linked.

Table 2593. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}

request body details
Parameter Data Type MIME Type Description Sample
details Object application/ Required - An ethernet network { "ip": "String", "ipversion": "String <one of:
json interface record containing the ipv4, ipv6>", "is_auto_ip": true,
following fields: "is_moving_config_with_active_ha": true,
v role - String - The role of the "mask": "String", "role": "String <one of: regular,
management, hacrossover,
network interface. One of:
hacrossover_disabled, monitor, disabled, slave,
regular, monitor, disabled. slave_disabled>" }
v ipversion - String - The
verson of the IP address that
is configured on the network
interface. One of: ipv4, ipv6.
v ip - String - The IP address
that is configured on the
network interface. Required
when ipversion is ipv4 or
(ipversion is ipv6 and
is_auto_ip is false). The
subnet that is computed from
the IP address and the mask
must not be the same subnet
that is configured on the
management interface.
v mask - String - The netmask
that is configured on the
network interface. This
parameter is required when
ipversion is ipv4. The subnet
that is computed from the IP
address and the mask must
not be the same subnet that
is configured on the
management interface.
v is_auto_ip - Boolean - Is the
IP auto-configured. Required.
v is_moving_config
_with_active_ha - Boolean -
Applies the same settings to
a new active HA server
during failover. This
parameter can be true only
when the server host is an
active HA server host.

Chapter 7. Previous REST API versions 1283

 Table 2594. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}
response codes
HTTP Response
Code Unique Code Description
200 The network interface has been updated.
404 1002 The requested server with the given server ID
cannot be found.
409 1004 The ip address has been used by another network
interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to update the
specified ethernet interfaces on the server with the
given ID.
500 1022 Timeout while performing the task.

Response Description

The updated ethernet network interface containing the following fields:

v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the that is IP address that is configured on the
network interface. One of: ipv4, ipv6.
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured.
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a
new active HA server during failover.

Response Sample
{
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}

1284 QRadar API Reference Guide

GET /system/servers/{server_id}/network_interfaces/bonded
DEPRECATED
Retrieves a list of the bonded network interfaces based on the supplied server ID.
Table 2595. GET /system/servers/{server_id}/network_interfaces/bonded resource details
MIME Type
application/json

Table 2596. GET /system/servers/{server_id}/network_interfaces/bonded request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2597. GET /system/servers/{server_id}/network_interfaces/bonded response codes

HTTP Response
Code Unique Code Description
200 A list of the bonded network interfaces were
retrieved.
404 1002 The requested server with the given server ID
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to retrieve the
bonded interfaces on the server with the given ID.
500 1022 Timeout while performing the task.

Chapter 7. Previous REST API versions 1285

 Response Description

A list of the bonded network interfaces. Each record contains the following fields:
v device_name - String - The name of the network interface.
v desc - String - The description of the network interface.
v role - String - The role of the network interface. One of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address configured on the network
interface. One of: ipv4, ipv6.
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured?
v is_cable_linked - String - Is the network interface cable linked? One of: YES,
NO, UNKNOWN
v is_moving_config_with_active_ha - Boolean - Will apply the same settings to a
new active HA server during failover.
v hacrossover_params - String - A map of key-value pairs of HA crossover
parameters if the network interface is used for HA crossover.
v bonding_opts - String - The bonding options that are configured on the bonded
network interface.
v slaves - List - The slaves of the bonded network interface. Each slave record
contains the follow fields:
device_name - String - The name of the slave interface.
desc - String - The description of the slave interface.
role - String - The role of the slave interface. One of: slave, slave_disabled
is_cable_linked - String - Is the slave interface cable linked. One of: true,
false, unknown

Response Sample
[
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{

1286 QRadar API Reference Guide

 "desc": "String",
"device_name": "String",
"is_cable_linked": "String <one of: true,
false,
unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}
]

POST /system/servers/{server_id}/network_interfaces/bonded
DEPRECATED
Creates a new bonded network interface.
Table 2598. POST /system/servers/{server_id}/network_interfaces/bonded resource details
MIME Type
application/json

Table 2599. POST /system/servers/{server_id}/network_interfaces/bonded request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The ID of
(Integer) the server.

Chapter 7. Previous REST API versions 1287

 Table 2600. POST /system/servers/{server_id}/network_interfaces/bonded request body
details
Parameter Data Type MIME Type Description Sample
details Object application/ Required - The details of the { "bonding_opts": "String", "ip": "String",
json bonded network interface that "ipversion": "String <one of: ipv4, ipv6>",
contains the following fields: "is_auto_ip": true,
"is_moving_config_with_active_ha": true,
v role - String - The role of the
"mask": "String", "role": "String <one of: regular,
network interface. One of:
management, hacrossover,
regular, monitor, disabled. hacrossover_disabled, monitor, disabled, slave,
v ipversion - String - The slave_disabled>", "slaves": [ { "device_name":
verson of the IP address that "String" } ] }
is configured on the network
interface. One of: ipv4, ipv6.
v ip - String - The IP address
that is configured on the
network interface. This
parameter is required when
ipversion is ipv4 or
(ipversion is ipv6 and
is_auto_ip is false). The
subnet that is computed from
the IP address and the mask
must not be the same subnet
that is configured on the
management interface.
v mask - String - The netmask
that is configured on the
network interface. This
parameter is equired when
ipversion is ipv4. The subnet
that is computed from the ip
and the mask must not be
the same subnet that is
configured on the
management interface.
v is_auto_ip - Boolean - Is the
address auto-configured?
Required.
v is_moving_config
_with_active_ha - Boolean -
Applies the same settings to
a new active HA server
during failover. This
parameter can be true only
when the server host is an
active HA server host.
v bonding_opts - String - The
bonding options that are
configured on the bonded
network interface.

Table 2601. POST /system/servers/{server_id}/network_interfaces/bonded response codes

HTTP Response
Code Unique Code Description
201 The bonded network interface was created.
404 1002 The requested server with the given server_id
cannot be found.
409 1004 The ip address has been used by another network
interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to create the bonded
interface on the server with the given ID.
500 1022 Timeout while performing the task.

1288 QRadar API Reference Guide

Response Description

The created bonded network interface that contains the following fields:
v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the
network interface. One of: ipv4, ipv6.
v ip - String - The Ip address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the Ip address auto-configured?
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a
new active HA server during failover.
v bonding_opts - String - The bonding options that are configured on the bonded
network interface.
v slaves - Array - The slave ethernet interfaces of the bonded interface. Each slave
interface has one field: device_name. The device_name must be an existing
ethernet interface that cannot be the management interface, the HA crossover
interface or a slave interface of another bonded network interface. The array
must contain at least one ethernet interface.

Response Sample
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4, ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",
"device_name": "String",
"is_cable_linked": "String <one of: true, false, unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,

Chapter 7. Previous REST API versions 1289

 slave_disabled>"
}
]
}

POST /system/servers/{server_id}/network_interfaces/bonded/
{device_name} DEPRECATED
Updates an existing bonded network interface.
Table 2602. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}
resource details
MIME Type
application/json

Table 2603. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}

request parameter details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The ID of
(Integer) the server.
device_name path Required String text/plain Required - The name
of an existing bonded
network interface.
The interface cannot
be the management
interface or HA
crossover interface.
The interface must be
cable linked.

1290 QRadar API Reference Guide

Table 2604. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}
request body details
Parameter Data Type MIME Type Description Sample
details Object application/ Required - The details of the { "bonding_opts": "String", "ip": "String",
json bonded network interface that "ipversion": "String <one of: ipv4, ipv6>",
contains the following fields: "is_auto_ip": true,
"is_moving_config_with_active_ha": true,
v role - String - The role of the
"mask": "String", "role": "String <one of: regular,
network interface. One of:
management, hacrossover,
regular, monitor, disabled hacrossover_disabled, monitor, disabled, slave,
v ipversion - String - The slave_disabled>", "slaves": [ { "device_name":
verson of the IP address that "String" } ] }
is configured on the network
interface. one of: ipv4, ipv6.
v ip - String - The IP address
that is configured on the
network interface. This
parameter is required when
ipversion is ipv4 or
(ipversion is ipv6 and
is_auto_ip is false). The
subnet that is computed from
the IP address and the mask
must not be the same subnet
that is configured on the
management interface.
v mask - String - The netmask
that is configured on the
network interface. This
parameter is equired when
ipversion is ipv4. The subnet
that is computed from the IP
address and the mask must
not be the same subnet that
is configured on the
management interface.
v is_auto_ip - Boolean - Is the
IP address auto-configured?
Required.
v is_moving_config
_with_active_ha - Boolean -
Applies the same settings to
a new active HA server
during failover. This
parameter can be true only
when the server host is an
active HA server host
v slaves - Array - The slave
ethernet interfaces of the
bonded interface. Each slave
interface has one field:
device_name. The
device_name must be an
existing ethernet interface
wthat cannot be the
management interface, the
HA crossover interface, or a
slave interface of another
bonded network interface. If
slaves are not null, the slaves
in this array will override the
existing slaves of the bonded
interface. When not null, the
array must contain at least
one ethernet interface. If null,
the endpoint does not change
the existing slave interfaces.
v bonding_opts - String - The
bonding options that are
configured on the bonded
network interface

Chapter 7. Previous REST API versions 1291

 Table 2605. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}
response codes
HTTP Response
Code Unique Code Description
200 The bonded network interface was updated.
404 1002 The requested server with the given server ID
cannot be found.
409 1004 The ip address has been used by another network
interface.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to update the
specified bonded interfaces on the server with the
given ID.
500 1022 Timeout while performing the task.

Response Description

The updated bonded network interface that contains the following fields:
v device_name - String - The name of the network interface.
v role - String - The role of the network interface. One of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled.
v ipversion - String - The verson of the IP address that is configured on the
network interface. one of: ipv4, ipv6
v ip - String - The IP address that is configured on the network interface.
v mask - String - The netmask that is configured on the network interface.
v is_auto_ip - Boolean - Is the IP address auto-configured?
v is_moving_config_with_active_ha - Boolean - Applies the same settings to a
new active HA server during failover.
v bonding_opts - String - The bonding options that are configured on the bonded
network interface.
v slaves - Array - The slave ethernet interfaces of the bonded interface. Each slave
interface has two fields: device_name and role. The role is slave or
slave_disabled.

Response Sample
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4,
ipv6>",
"is_auto_ip": true,
"is_cable_linked": "String <one of: true,
false,
unknown>",
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,

1292 QRadar API Reference Guide

 hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",
"device_name": "String",
"is_cable_linked": "String <one of: true,
false,
unknown>",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}

DELETE /system/servers/{server_id}/network_interfaces/bonded/
{device_name} DEPRECATED
Removes a bonded network interface.
Table 2606. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name}
resource details
MIME Type
text/plain

Table 2607. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name}

request parameter details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The ID of
(Integer) the server.
device_name path Required String text/plain Required - The
device name of the
bonded network
interface.

Table 2608. DELETE /system/servers/{server_id}/network_interfaces/bonded/{device_name}

response codes
HTTP Response
Code Unique Code Description
200 The bonded network interface was removed.
404 1002 The requested server with the given server ID or the
bonded network interface cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error occurred while trying to remove the
bonded interface on the server with the given ID.
500 1022 Timeout while performing the task.

Chapter 7. Previous REST API versions 1293

 Response Description

Response Sample

REST API V5.1 References

Each API reference provides information about the parameters, mime type,
stability, and responses for each endpoint.

Analytics endpoints
Use the references for REST API V5.1 analytics endpoints.

GET /analytics/custom_actions/actions DEPRECATED

Retrieves a list of available custom actions.
Table 2609. GET /analytics/custom_actions/actions resource details
MIME Type
application/json

Table 2610. GET /analytics/custom_actions/actions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2611. GET /analytics/custom_actions/actions response codes

HTTP Response
Code Unique Code Description
200 The requested list of custom actions have been
successfully retrieved.
500 1020 An internal server error occurred while retrieving
custom actions.

1294 QRadar API Reference Guide

Response Description

Array of available custom actions which in turn contain the following fields:
v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
[
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}
]

POST /analytics/custom_actions/actions DEPRECATED

Creates a new custom action with the supplied fields.

The custom action must contain the following fields:

v name - Required - String - Unique name of the custom action within the QRadar
deployment.
v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter
used by the custom action.
v script - Required - Number - Unique ID of the custom action script used by the
custom action.

Chapter 7. Previous REST API versions 1295

 v parameters - Required - Array - Array of custom action parameters contained
within the custom action. Each Custom action parameter must have the
following fields:
name - Required - String - Name of the custom action parameter. Unique in
the context of the parent custom action.
parameter_type - Required - String - Custom action parameter type. Can be
either fixed or dynamic.
encrypted - Required - Boolean - Designates whether the custom action
parameter value field is stored in an encrypted state.True if encrypted, false
otherwise.
value - Required - String - Value of the custom action parameter. Custom
action parameters with parameter_type fixed can have any value. Custom
action parameters with parameter_type dynamic must have values
corresponding to column names in an Ariel database, for example sourceip.
Ariel database column names are available through the /api/ariel/databases/
{database_name} endpoint.
Table 2612. POST /analytics/custom_actions/actions resource details
MIME Type
application/json

Table 2613. POST /analytics/custom_actions/actions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2614. POST /analytics/custom_actions/actions request body details

Parameter Data Type MIME Type Description Sample
custom_action Object application/json Custom action JSON { "description":
object containing the "String", "interpreter":
supplied fields (see 42, "name": "String",
above for more "parameters": [ {
details). "encrypted": true,
"name": "String",
"parameter_type":
"String", "value":
"String" } ], "script": 42
}

Table 2615. POST /analytics/custom_actions/actions response codes

HTTP Response
Code Unique Code Description
201 A new custom action has been successfully created.
422 1005 One or more parameters are invalid in request.

1296 QRadar API Reference Guide

Table 2615. POST /analytics/custom_actions/actions response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An internal server error occurred while posting
custom action.

Response Description

The newly created custom action with the following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

GET /analytics/custom_actions/interpreters DEPRECATED

Retrieves a list of available custom action interpreters.
Table 2616. GET /analytics/custom_actions/interpreters resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1297

 Table 2617. GET /analytics/custom_actions/interpreters request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2618. GET /analytics/custom_actions/interpreters response codes

HTTP Response
Code Unique Code Description
200 The requested list of custom action interpreters have
been retrieved.
500 1020 An internal server error occurred while retrieving
available custom action interpreters.

Response Description

Array of available custom action interpreters, each with the following fields:
v id - Number - Unique ID of the custom action interpreter within the QRadar
deployment.
v name - String - Name of the custom action interpreter.

Response Sample
[
{
"id": 42,
"name": "String"
}
]

1298 QRadar API Reference Guide

GET /analytics/custom_actions/interpreters/{interpreter_id}
DEPRECATED
Retrieves a custom action interpreter based on supplied interpreter ID.
Table 2619. GET /analytics/custom_actions/interpreters/{interpreter_id} resource details
MIME Type
application/json

Table 2620. GET /analytics/custom_actions/interpreters/{interpreter_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
interpreter_id path Required Number text/plain Number id of custom
(Integer) action interpreter to be
retrieved.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2621. GET /analytics/custom_actions/interpreters/{interpreter_id} response codes

HTTP Response
Code Unique Code Description
200 - The requested custom action interpreter has been
retrieved.
404 1002 The requested custom action interpreter could not be
found.
500 1020 An internal server error occurred while retrieving
custom action interpreter with supplied
interpreter_id.

Response Description

A custom action interpreter with the following fields:

v id - Number - Unique ID of the custom action interpreter within the QRadar
deployment.
v name - String - Name of the custom action interpreter.

Response Sample
{
"id": 42,
"name": "String"
}

Chapter 7. Previous REST API versions 1299

 GET /analytics/custom_actions/scripts DEPRECATED
Retrieves a list of meta-data for available custom action script files.
Table 2622. GET /analytics/custom_actions/scripts resource details
MIME Type
application/json

Table 2623. GET /analytics/custom_actions/scripts request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2624. GET /analytics/custom_actions/scripts response codes

HTTP Response
Code Unique Code Description
200 The requested custom action script file has been
retrieved.
500 1020 An internal server error occurred while retrieving
available custom action script file meta-data.

Response Description

Array of available custom action script file meta-data, each with the following
fields:
v id - Number - Unique ID of the custom action script file within the QRadar
deployment.
v name - String - Name of the custom action script file.

1300 QRadar API Reference Guide

Response Sample
[
{
"file_name": "String",
"id": 42
}
]

POST /analytics/custom_actions/scripts DEPRECATED

Creates a new custom action script file. Newly created custom action script files
require a deployment before using.

Newly created custom action script files require a deployment before use. You can
include an optional HTTP header file_name that contains the custom action script
file name. If not specified, the custom action script file name defaults to the script
ID of the uploaded file.
Table 2625. POST /analytics/custom_actions/scripts resource details
MIME Type
application/json

Table 2626. POST /analytics/custom_actions/scripts request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2627. POST /analytics/custom_actions/scripts request body details

Parameter Data Type MIME Type Description Sample
file File application/octet- Required. The custom File
stream action script file. Must
be supplied with MIME
type
application/octet-stream.

Table 2628. POST /analytics/custom_actions/scripts response codes

HTTP Response
Code Unique Code Description
201 A custom action script file has been created.
500 1020 An internal server error occurred while posting
custom action script file.

Response Description

Custom action script file meta-data with the following fields:

Chapter 7. Previous REST API versions 1301

 v id - Number - Unique ID of the custom action script within the QRadar
deployment.
v name - String - Name of the custom action script.

Response Sample
{
"file_name": "String",
"id": 42
}

GET /analytics/custom_actions/actions/{action_id} DEPRECATED

Retrieves a custom action based on the supplied action_id.
Table 2629. GET /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

Table 2630. GET /analytics/custom_actions/actions/{action_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
action_id path Required Number text/plain Long id of the custom
(Integer) action to be retrieved.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2631. GET /analytics/custom_actions/actions/{action_id} response codes

HTTP Response
Code Unique Code Description
200 The requested custom action has been successfully
retrieved.
404 1002 The requested custom action could not be found.
500 1020 An internal server error occurred while retrieving
custom action with supplied action_id.

Response Description

A custom action with containing following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.

1302 QRadar API Reference Guide

v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

POST /analytics/custom_actions/actions/{action_id}
DEPRECATED
Updates an existing custom action.

The custom action must contain the following fields:

v id - Required - Number - Unique ID of the custom action within the QRadar
deployment.
v name - Optional - String - Unique name of the custom action within the QRadar
deployment.
v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter
used by the custom action.
v script - Required - Number - Unique ID of the custom action script used by the
custom action.
v parameters - Required - Array - Array of custom action parameters contained
within the custom action. Each Custom action parameter must have the
following fields:
name - Required - String - Name of the custom action parameter. Unique in
the context of the parent custom action.
parameter_type - Optional - String - Custom action parameter type. Can be
either fixed or dynamic.
encrypted - Optional - Boolean - Designates whether the custom action
parameter value field is stored in an encrypted state.True if encrypted, false
otherwise.

Chapter 7. Previous REST API versions 1303

 value - Optional - String - Value of the custom action parameter. Custom
action parameters with parameter_type fixed can have any value. Custom
action parameters with parameter_type dynamic must have values
corresponding to column names in an Ariel database, for example sourceip.
Ariel database column names are available through the /api/ariel/databases/
{database_name} endpoint.
Table 2632. POST /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

Table 2633. POST /analytics/custom_actions/actions/{action_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
action_id path Required Number text/plain Number id of the
(Integer) custom action to be
updated.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2634. POST /analytics/custom_actions/actions/{action_id} request body details

Parameter Data Type MIME Type Description Sample
custom_action Object application/json Custom action JSON { "description":
object which can "String", "id": 42,
contain the supplied "interpreter": 42,
fields (see above for "name": "String",
more details). "parameters": [ {
"encrypted": true,
"name": "String",
"parameter_type":
"String", "value":
"String" } ], "script": 42
}

Table 2635. POST /analytics/custom_actions/actions/{action_id} response codes

HTTP Response
Code Unique Code Description
200 The custom action has been updated.
404 1002 The requested custom action could not be found.
422 1005 One or more parameters are invalid in request.
500 1020 An internal server error occurred while updating
custom action with supplied action_id.

1304 QRadar API Reference Guide

Response Description

The updated custom action with the following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

DELETE /analytics/custom_actions/actions/{action_id}
DEPRECATED
Deletes an existing custom action.
Table 2636. DELETE /analytics/custom_actions/actions/{action_id} resource details
MIME Type
text/plain

Table 2637. DELETE /analytics/custom_actions/actions/{action_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
action_id path Required Number text/plain Number id of the
(Integer) custom action you wish
to delete.

Chapter 7. Previous REST API versions 1305

 Table 2638. DELETE /analytics/custom_actions/actions/{action_id} response codes
HTTP Response
Code Unique Code Description
204 The custom action has been deleted.
404 1002 The requested custom action could not be found.
500 1020 An internal server error occurred while deleting
custom action with supplied action_id.

Response Description

Empty response with 204 successful response code.

Response Sample

GET /analytics/custom_actions/scripts/{script_id} DEPRECATED

Retrieves meta-data of a custom action script file based on supplied script_id.
Table 2639. GET /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Table 2640. GET /analytics/custom_actions/scripts/{script_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
script_id path Required Number text/plain Number id of the
(Integer) custom action script
file.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2641. GET /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response
Code Unique Code Description
200 The requested custom action script file has been
retrieved.
404 1002 The requested custom action script file could not be
found.
500 1020 An internal server error occurred while retrieving
custom action script file meta-data with supplied
script_id.

1306 QRadar API Reference Guide

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script file within the QRadar
deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

POST /analytics/custom_actions/scripts/{script_id} DEPRECATED

Updates an existing custom action script file. Updated custom action script files
require a deployment before using.

Updated custom action script files require a deployment before use. You can
include an optional HTTP header file_name containing the custom action script file
name. If not specified, the custom action script file name defaults to the script ID
of the uploaded file.
Table 2642. POST /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Table 2643. POST /analytics/custom_actions/scripts/{script_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
script_id path Required Number text/plain Number id of the
(Integer) custom action script file
to be updated.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2644. POST /analytics/custom_actions/scripts/{script_id} request body details

Parameter Data Type MIME Type Description Sample
file File application/octet- Required. The custom File
stream action script file. Must
be supplied with MIME
type
application/octet-stream.

Chapter 7. Previous REST API versions 1307

 Table 2645. POST /analytics/custom_actions/scripts/{script_id} response codes
HTTP Response
Code Unique Code Description
200 The custom action script file has been updated.
404 1002 The requested custom action script file could not be
found.
500 1020 An internal server error occurred while updating
custom action script file with supplied script_id.

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script file within the QRadar
deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

DELETE /analytics/custom_actions/scripts/{script_id}
DEPRECATED
Deletes an existing custom action script file.
Table 2646. DELETE /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
text/plain

Table 2647. DELETE /analytics/custom_actions/scripts/{script_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
script_id path Required Number text/plain Number id of the
(Integer) custom action script file
to be deleted.

Table 2648. DELETE /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response
Code Unique Code Description
204 The custom action script file has been deleted.
404 1002 The requested custom action script file could not be
found.
422 1005 The requested custom action script file is tied to an
existing custom action.
500 1020 An internal server error occurred while deleting
custom action script file with supplied script_id.

1308 QRadar API Reference Guide

 Response Description

Empty response with a 204 successful response code.

Response Sample

Ariel endpoints
Use the references for REST API V5.1 Ariel endpoints.

GET /ariel/databases DEPRECATED

Retrieve Ariel database names

Retrieve a list of available Ariel databases.

Table 2649. GET /ariel/databases resource details
MIME Type
application/json

Table 2650. GET /ariel/databases request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2651. GET /ariel/databases response codes

HTTP Response
Code Unique Code Description
200 The database list was retrieved.
500 1020 An error occurred while attempting to retrieve the
list of Ariel databases.

Response Description

The names of the available Ariel databases.

Response Sample
[
"String"
]

GET /ariel/databases/{database_name} DEPRECATED

Retrieve the columns defined for a specific Ariel database.

Chapter 7. Previous REST API versions 1309

 This is the set of columns that can be explicitly named in the column list of a
SELECT query.
Table 2652. GET /ariel/databases/{database_name} resource details
MIME Type
application/json

Table 2653. GET /ariel/databases/{database_name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
database_name path Required String text/plain Required. The name of
the Ariel database that
contains the columns
that you want to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements that
are returned in the list to
a specified range. The
list is indexed starting at
zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in a
list base on the contents
of various fields.

Table 2654. GET /ariel/databases/{database_name} response codes

HTTP Response
Code Unique Code Description
200 The database columns were retrieved.
404 1002 The database does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
database columns.

Response Description

A list of columns that are defined for the specified database. Multiple properties of
each column are returned. For example, the column name or an indication that the
column is indexable.

1310 QRadar API Reference Guide

Response Sample
{
"columns": [
{
"argument_type": "String",
"indexable": true,
"name": "String"
}
]
}

GET /ariel/searches DEPRECATED

Retrieve Ariel search_ids.

Retrieve the list of Ariel searches. This includes search_ids for completed and
active searches.
Table 2655. GET /ariel/searches resource details
MIME Type
application/json

Table 2656. GET /ariel/searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2657. GET /ariel/searches response codes

HTTP Response
Code Unique Code Description
200 The search list was retrieved.
500 1020 An error occurred while attempting to retrieve the
list of searches.

Response Description

A list of search IDs.

Response Sample
[
"String"
]

Chapter 7. Previous REST API versions 1311

 POST /ariel/searches DEPRECATED
Create a new asynchronous Ariel search

Creates a new Ariel search as specified by the Ariel Query Language (AQL) query
expression. Searches are executed asynchronously. A reference to the search_id is
returned and should be used in subsequent API calls to determine the status of the
search and retrieve the results once it is complete.

This endpoint only accepts SELECT and RUN query expressions.

Queries are applied to the range of data in a certain time interval. By default this
time interval is the last 60 seconds. An alternative time interval can be specified by
specifying them as part of the query expression. For further information, see the
AQL reference.
Table 2658. POST /ariel/searches resource details
MIME Type
application/json

Table 2659. POST /ariel/searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
query_expression query Required String text/plain Required - The AQL
query to execute.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2660. POST /ariel/searches response codes

HTTP Response
Code Unique Code Description
201 A new Ariel search was successfully created.
409 1004 The search could not be created, the requested
search ID provided in the query_expression is
already in use. Please use a unique search ID (or
allow one to be generated).
422 2000 The query_expression contains invalid AQL syntax.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to create a new
search.

Response Description

Information about the specified search, including the search_id. Use the search_id
to access or manipulate the search with the other API endpoints.

1312 QRadar API Reference Guide

If the exact search being created was already recently created, the response
message will return a reference to the original search_id rather than creating a new
search.

Response Sample
{
"compressed_data_file_count": 42,
"compressed_data_total_size": 42,
"cursor_id": "String",
"data_file_count": 42,
"data_total_size": 42,
"desired_retention_time_msec": 42,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"index_file_count": 42,
"index_total_size": 42,
"processed_record_count": 42,
"progress": 42,
"query_execution_time": 42,
"record_count": 42,
"save_results": true,
"search_id": "String",
"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>"
}

GET /ariel/searches/{search_id} DEPRECATED

Retrieve information about an Ariel search

Retrieve status information for a search, based on the search_id parameter. The
same informational fields are returned regardless of whether the search is in
progress or is complete.
Table 2661. GET /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 2662. GET /ariel/searches/{search_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain Required. The identifier
for an Ariel search.

Chapter 7. Previous REST API versions 1313

 Table 2662. GET /ariel/searches/{search_id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2663. GET /ariel/searches/{search_id} response codes

HTTP Response
Code Unique Code Description
200 The search information was retrieved.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
search information.

Response Description

Information about the specified search, including the search status.

Response Sample
{
"compressed_data_file_count": 42,
"compressed_data_total_size": 42,
"cursor_id": "String",
"data_file_count": 42,
"data_total_size": 42,
"desired_retention_time_msec": 42,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"index_file_count": 42,
"index_total_size": 42,
"processed_record_count": 42,
"progress": 42,
"query_execution_time": 42,
"record_count": 42,
"save_results": true,
"search_id": "String",
"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>"
}

1314 QRadar API Reference Guide

POST /ariel/searches/{search_id} DEPRECATED
Update an Ariel search.

Update details for an Ariel search. You can update searches in the following ways:
v To cancel an active search, set the status parameter to CANCELED. This stops
the search and keeps any search results that were collected before the search was
canceled.
v The results for a completed search can be saved by setting the save_results
parameter to true. This ensures that the search is not automatically removed
when it expires in accordance with the retention policy.

The Ariel server uses an internal retention policy to manage available disk space.
Searches might be deleted automatically, according to the settings of the retention
policy. Searches with saved results are not automatically reclaimed by the server
and are therefore retained. A search can be explicitly deleted by using the DELETE
/searches/{search_id} endpoint.

Note: Saving too many search results might result in insufficient disk space to
process new searches.
Table 2664. POST /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 2665. POST /ariel/searches/{search_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain Required. The ID of the
search to update.
save_results query Optional String text/plain Optional. The only
accepted value is true.
If this value is
provided, the search
results will not be
deleted by the search
expiration removal
process.
status query Optional String text/plain Optional. The only
accepted value is
CANCELED. If this
value is provided, the
search will be canceled.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 1315

 Table 2666. POST /ariel/searches/{search_id} response codes
HTTP Response
Code Unique Code Description
200 The search was updated.
404 1002 The search does not exist.
409 1008 The current status of the search prevented the search
results from being saved.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to update the
search.

Response Description

Information about the specified search that was updated.

Response Sample
{
"compressed_data_file_count": 42,
"compressed_data_total_size": 42,
"cursor_id": "String",
"data_file_count": 42,
"data_total_size": 42,
"desired_retention_time_msec": 42,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"index_file_count": 42,
"index_total_size": 42,
"processed_record_count": 42,
"progress": 42,
"query_execution_time": 42,
"record_count": 42,
"save_results": true,
"search_id": "String",
"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>"
}

DELETE /ariel/searches/{search_id} DEPRECATED

Delete an Ariel search

Deletes an Ariel search. This discards any results that were collected and stops the
search if it is currently processing. This search is deleted regardless of whether the
results were saved.
Table 2667. DELETE /ariel/searches/{search_id} resource details
MIME Type
application/json

1316 QRadar API Reference Guide

Table 2668. DELETE /ariel/searches/{search_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain Required - The
search_id of the search
to delete.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2669. DELETE /ariel/searches/{search_id} response codes

HTTP Response
Code Unique Code Description
202 The delete request has been accepted.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to delete the
search.

Response Description

Information about the deleted search

Response Sample
{
"compressed_data_file_count": 42,
"compressed_data_total_size": 42,
"cursor_id": "String",
"data_file_count": 42,
"data_total_size": 42,
"desired_retention_time_msec": 42,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"index_file_count": 42,
"index_total_size": 42,
"processed_record_count": 42,
"progress": 42,
"query_execution_time": 42,
"record_count": 42,

Chapter 7. Previous REST API versions 1317

 "save_results": true,
"search_id": "String",
"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>"
}

GET /ariel/searches/{search_id}/results DEPRECATED

Retrieves search results in the requested format.

Retrieve the results of the Ariel search that is identified by the search_id. The
Accepts request header indicates the format of the result. The format can be JSON,
CSV, XML, or tabular text.

By default, all query result records are returned. To restrict the results to a
contiguous subset of the records, you can supply a Range header to specify the
inclusive range of records to be returned.

This end-point works with query results that are generated by AQL query
expressions. This endpoint might not work as expected for results that are
generated by other means. Search results might not be retrievable for searches that
are created on the Console.

The response samples are for the following query: Select sourceIP, destinationIP
from events.
Table 2670. GET /ariel/searches/{search_id}/results resource details
MIME Type
application/json application/csv text/table application/xml

Table 2671. GET /ariel/searches/{search_id}/results request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain The ID of the search
criteria for the returned
results.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2672. GET /ariel/searches/{search_id}/results response codes

HTTP Response
Code Unique Code Description
200 The search results were retrieved.
404 1002 The search does not exist.
404 1003 Search results not found. The search is still in
progress.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
search results.

1318 QRadar API Reference Guide

 Response Description

The search results for the specified search_id. The format that is used to
encapsulate the data depends on the format specified in the Accept header for this
request.

Response Sample
{
"events": [
{
"sourceIP": "1.1.1.1",
"destinationIP": "127.0.0.1"
},
{
"sourceIP": "1.1.1.1",
"destinationIP": "127.0.0.1"
}
]
}

Asset model endpoints

Use the references for REST API V5.1 Asset Model endpoints.

GET /asset_model/assets DEPRECATED

List all assets found in the model.
Table 2673. GET /asset_model/assets resource details
MIME Type
application/json

Table 2674. GET /asset_model/assets request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 7. Previous REST API versions 1319

 Table 2675. GET /asset_model/assets response codes
HTTP Response
Code Unique Code Description
200 The request to retrieve assets completed successfully.
500 1020 The server encountered an error while trying to
retrieve the assets.

Response Description

List of assets retrieved using the associated asset saved search.

Response Sample
[{"id": 42,
"domain_id": 42,
"interfaces": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String",
"ip_addresses": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"network_id": 42,
"value": "String",
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"type": "String"}]
}],
"properties": [{"id": 42,
"name": "String",
"value": "String",
"last_reported": 42,
"type_id": 42,
"last_reported_by": "String"}]
}]

POST /asset_model/assets/{asset_id} DEPRECATED

Update an asset with several pertinent pieces of information.

The asset_id tag is mandatory, and is the unique identifier for an asset. This field
is available through the /asset_model/assets or /asset_model/saved_searches/
{saved_search_id}/results query. To update properties, the property type ID which
is available through the /asset_model/properties query must be provided along
with the new value. See the sample provided demonstrating an example asset
update.
Table 2676. POST /asset_model/assets/{asset_id} resource details
MIME Type
text/plain

1320 QRadar API Reference Guide

Table 2677. POST /asset_model/assets/{asset_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
asset_id path Required String text/plain Unique identifier of the
asset to update.

Table 2678. POST /asset_model/assets/{asset_id} request body details

Parameter Data Type MIME Type Description Sample
asset JSON application/json JSON representation of { "properties": [ {
an asset. "type_id": 1001, "value":
"given name value" }, {
"type_id": 1002, "value":
"unified name value" } ]
}

Table 2679. POST /asset_model/assets/{asset_id} response codes

HTTP Response
Code Unique Code Description
202 The request to update the asset was successful. The
update will take place when the asset profile
application receives the request.
422 1005 One or more of the requested property updates were
invalid.
500 1020 The server encountered an error registering the
update with the asset profile application.

Response Description

Information about the asset that was updated.

Response Sample
String

GET /asset_model/properties DEPRECATED

Get a list of available asset property types that can be used.

Get a list of available asset property types that can be used or applied against the
/asset_model/assets endpoint.
Table 2680. GET /asset_model/properties resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1321

 Table 2681. GET /asset_model/properties request parameter details
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2682. GET /asset_model/properties response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the list of asset property
types completed successfully.
500 1020 An error occurred while trying to retrieve the list of
asset property types.

Response Description

List of asset properties. Per asset property type: id and name that make up this
asset property type.

Response Sample
[
{
"custom": true,
"data_type": "String",
"display": true,
"id": 42,
"name": "String",
"state": 42
}
]

GET /asset_model/saved_searches DEPRECATED

Get a list of saved searches that can be used.

1322 QRadar API Reference Guide

Get a list of saved searches that can be used or applied against the
/asset_model/saved_searches/{saved_search_id}/results query.
Table 2683. GET /asset_model/saved_searches resource details
MIME Type
application/json

Table 2684. GET /asset_model/saved_searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2685. GET /asset_model/saved_searches response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve the list of saved searches
completed successfully.
500 1020 The server encountered an error while trying to
retrieve the list of saved searches.

Response Description

List of saved searches. Per saved search: id, name and list of filters that make up
this saved search

Response Sample
[
{
"columns": [
{
"name": "String",

Chapter 7. Previous REST API versions 1323

 "type": "String"
}
],
"description": "String",
"filters": [
{
"operator": "String",
"parameter": "String",
"value": "String"
}
],
"id": 42,
"name": "String"
}
]

GET /asset_model/saved_searches/{saved_search_id}/results
DEPRECATED
Retrieves a list of assets based on the results of an asset saved search.
Table 2686. GET /asset_model/saved_searches/{saved_search_id}/results resource details
MIME Type
application/json

Table 2687. GET /asset_model/saved_searches/{saved_search_id}/results request

parameter details
Parameter Type Optionality Data Type MIME Type Description
saved_search_id path Required String text/plain Unique identifier of the
saved search used to
retrieve assets.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements that
are returned in the list to
a specified range. The
list is indexed starting at
zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in a
list base on the contents
of various fields.

Table 2688. GET /asset_model/saved_searches/{saved_search_id}/results response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve assets completed successfully.

1324 QRadar API Reference Guide

 Table 2688. GET /asset_model/saved_searches/{saved_search_id}/results response
codes (continued)
HTTP Response
Code Unique Code Description
422 1005 The unique identifier of the saved search provided
was invalid.
500 1003 The server encountered an error executing the saved
search.

Response Description

List of assets retrieved using the associated asset saved search.

Response Sample
[
{
"domain_id": 42,
"id": 42,
"interfaces": [
{
"created": 42,
"first_seen_profiler": 42,
"first_seen_scanner": 42,
"id": 42,
"ip_addresses": [
{
"created": 42,
"first_seen_profiler": 42,
"first_seen_scanner": 42,
"id": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"network_id": 42,
"type": "String",
"value": "String"
}
],
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String"
}
],
"properties": [
{
"id": 42,
"last_reported": 42,
"last_reported_by": "String",
"name": "String",
"type_id": 42,
"value": "String"
}
]
}
]

Authentication endpoints
Use the references for REST API V5.1 authentication endpoints.

Chapter 7. Previous REST API versions 1325

 POST /auth/logout DEPRECATED
Invoke this method as an authorized user and your session will be invalidated.
Table 2689. POST /auth/logout resource details
MIME Type
text/plain

There are no parameters for this endpoint.

Table 2690. POST /auth/logout response codes
HTTP Response
Code Unique Code Description
200 The session was invalidated.

Response Description

Returns true. Throws exception upon failure.

Response Sample
true

Configuration endpoints
Use the references for REST API V5.1 configuration endpoints.

GET /config/domain_management/domains DEPRECATED

Retrieves the list of all domains, active and deleted (including the default domain).

The list is ordered by domain ID. If domains were never configured, only the
default domain is returned.
Table 2691. GET /config/domain_management/domains resource details
MIME Type
application/json

Table 2692. GET /config/domain_management/domains request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

1326 QRadar API Reference Guide

Table 2692. GET /config/domain_management/domains request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2693. GET /config/domain_management/domains response codes

HTTP Response
Code Unique Code Description
200 The domain list has been successfully retrieved.
500 1020 An error occurred while the domain list was being
retrieved.

Response Description

The list of domain objects.

Response Sample
[
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [

Chapter 7. Previous REST API versions 1327

 42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}
]

POST /config/domain_management/domains DEPRECATED

Creates a new domain.
Table 2694. POST /config/domain_management/domains resource details
MIME Type
application/json

Table 2695. POST /config/domain_management/domains request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2696. POST /config/domain_management/domains request body details

Parameter Data Type MIME Type Description Sample
domain Object application/json A domain JSON object { "asset_scanner_ids":
(its id parameter is [42],
ignored). "custom_properties":
[{"capture_result":
"String", "id": 42}],
"deleted": true,
"description": "String",
"event_collector_ids":
[42],
"flow_collector_ids":
[42], "flow_source_ids":
[42],
"log_source_group_ids":
[42], "log_source_ids":
[42], "name": "String",
"qvm_scanner_ids":
[42], "tenant_id": 42 }

1328 QRadar API Reference Guide

Table 2697. POST /config/domain_management/domains response codes
HTTP Response
Code Unique Code Description
201 The domain has been successfully created.
409 1004 A domain object parameter already exists.
422 1005 A domain object parameter is invalid.
500 1020 An error occurred while the domain was being
created.

Response Description

A created domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

GET /config/domain_management/domains/{domain_id}
DEPRECATED
Retrieves a domain by domain ID.
Table 2698. GET /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1329

 Table 2699. GET /config/domain_management/domains/{domain_id} request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
domain_id path Required Number text/plain The ID of the domain
(Integer) object to retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2700. GET /config/domain_management/domains/{domain_id} response codes

HTTP Response
Code Unique Code Description
200 The domain has been successfully retrieved.
404 1002 No domain was found for the provided domain id.
500 1020 An error occurred while the domain was being
retrieved.

Response Description

A domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42

1330 QRadar API Reference Guide

 ],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

POST /config/domain_management/domains/{domain_id}
DEPRECATED
Updates an existing domain.
Table 2701. POST /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 2702. POST /config/domain_management/domains/{domain_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
domain_id path Required Number text/plain The ID of the domain
(Integer) object to update.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2703. POST /config/domain_management/domains/{domain_id} request body details

Parameter Data Type MIME Type Description Sample
domain Object application/json A domain JSON object. { "asset_scanner_ids":
[42],
"custom_properties":
[{"capture_result":
"String", "id": 42}],
"deleted": true,
"description": "String",
"event_collector_ids":
[42],
"flow_collector_ids":
[42], "flow_source_ids":
[42],
"log_source_group_ids":
[42], "log_source_ids":
[42], "name": "String",
"qvm_scanner_ids":
[42], "tenant_id": 42 }

Chapter 7. Previous REST API versions 1331

 Table 2704. POST /config/domain_management/domains/{domain_id} response codes
HTTP Response
Code Unique Code Description
200 The domain has been successfully updated.
404 1002 No domain was found for the provided domain id.
409 1004 A domain object parameter already exists.
422 1005 A domain object parameter is invalid.
500 1020 An error occurred while the domain was being
updated.

Response Description

The updated domain object.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [
42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

DELETE /config/domain_management/domains/{domain_id}
DEPRECATED
Deletes a domain by domain ID.

All domain mappings are also deleted

1332 QRadar API Reference Guide

Table 2705. DELETE /config/domain_management/domains/{domain_id} resource details
MIME Type
application/json

Table 2706. DELETE /config/domain_management/domains/{domain_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
domain_id path Required Number text/plain The ID of the domain
(Integer) object to delete.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2707. DELETE /config/domain_management/domains/{domain_id} response codes

HTTP Response
Code Unique Code Description
200 The domain has been successfully deleted.
404 1002 No domain was found for the provided domain id.
422 1005 Default domain cannot be deleted.
500 1020 An error occurred while the domain was being
deleted.

Response Description

The deleted domain object with its parameter deleted set to true.

Response Sample
{
"asset_scanner_ids": [
42
],
"custom_properties": [
{
"capture_result": "String",
"id": 42
}
],
"deleted": true,
"description": "String",
"event_collector_ids": [
42
],
"flow_collector_ids": [
42
],
"flow_source_ids": [

Chapter 7. Previous REST API versions 1333

 42
],
"id": 42,
"log_source_group_ids": [
42
],
"log_source_ids": [
42
],
"name": "String",
"qvm_scanner_ids": [
42
],
"tenant_id": 42
}

GET /config/access/tenant_management/tenants DEPRECATED

Retrieve the list of all tenants ordered by tenant ID.

Retrieve the list of all tenants. The list is ordered by tenant ID.
Table 2708. GET /config/access/tenant_management/tenants resource details
MIME Type
application/json

Table 2709. GET /config/access/tenant_management/tenants request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2710. GET /config/access/tenant_management/tenants response codes

HTTP Response
Code Unique Code Description
200 The tenant list was successfully retrieved.

1334 QRadar API Reference Guide

Table 2710. GET /config/access/tenant_management/tenants response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred while the tenant list was being
retrieved.

Response Description

a list of all the tenants

Response Sample
[
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}
]

POST /config/access/tenant_management/tenants DEPRECATED

Create a new tenant.
Table 2711. POST /config/access/tenant_management/tenants resource details
MIME Type
application/json

Table 2712. POST /config/access/tenant_management/tenants request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2713. POST /config/access/tenant_management/tenants request body details

Parameter Data Type MIME Type Description Sample
tenant Object application/json Required - Tenant - { "deleted": true,
includes name, "description": "String",
event_rate_limit (unit "event_rate_limit": 42,
eps), flow_rate_limit "flow_rate_limit": 42,
(unit fpm) and "name": "String" }
description

Chapter 7. Previous REST API versions 1335

 Table 2714. POST /config/access/tenant_management/tenants response codes
HTTP Response
Code Unique Code Description
201 A new tenant was created successfully and returned
the new tenant object.
409 1004 A tenant with the given name already exists.
422 1005 A request parameter is invalid.
500 1020 Failed to create the tenant.

Response Description

a created tenant object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

GET /config/access/tenant_management/tenants/{tenant_id}
DEPRECATED
Retrieve a tenant by tenant id.
Table 2715. GET /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

Table 2716. GET /config/access/tenant_management/tenants/{tenant_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
tenant_id path Required Number text/plain null
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

1336 QRadar API Reference Guide

Table 2717. GET /config/access/tenant_management/tenants/{tenant_id} response codes
HTTP Response
Code Unique Code Description
200 The tenant was successfully retrieved.
404 1002 No tenant was found for the provided tenant id.
500 1020 An error occurred while the tenant was being
retrieved.

Response Description

the associated tenants object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

POST /config/access/tenant_management/tenants/{tenant_id}
DEPRECATED
Update a tenant
Table 2718. POST /config/access/tenant_management/tenants/{tenant_id} resource details
MIME Type
application/json

Table 2719. POST /config/access/tenant_management/tenants/{tenant_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
tenant_id path Required Number text/plain Required - Integer - the
(Integer) tenant id to modify
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 1337

 Table 2720. POST /config/access/tenant_management/tenants/{tenant_id} request body
details
Parameter Data Type MIME Type Description Sample
tenant Object application/json Required - Tenant - { "deleted": true,
includes name, "description": "String",
event_rate_limit (unit "event_rate_limit": 42,
eps), flow_rate_limit "flow_rate_limit": 42,
(unit fpm) and "name": "String" }
description

Table 2721. POST /config/access/tenant_management/tenants/{tenant_id} response codes

HTTP Response
Code Unique Code Description
200 A tenant profile that was updated successfully and
returned the updated tenant object.
404 1002 The tenant profile does not exist.
409 1004 A tenant with the given name already exists.
422 1005 A request parameter is invalid.
500 1020 Failed to retrieve/update the given tenant profile.

Response Description

the updated tenant object

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

DELETE /config/access/tenant_management/tenants/{tenant_id}
DEPRECATED
Delete a tenant.

Deletes a tenant by tenant ID.

Table 2722. DELETE /config/access/tenant_management/tenants/{tenant_id} resource
details
MIME Type
application/json

Table 2723. DELETE /config/access/tenant_management/tenants/{tenant_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
tenant_id path Required Number text/plain Required - String - id
(Integer) associated to a tenant

1338 QRadar API Reference Guide

Table 2724. DELETE /config/access/tenant_management/tenants/{tenant_id} response
codes
HTTP Response
Code Unique Code Description
200 The tenant was deleted successfully (soft delete).
404 1002 The tenant does not exists.
500 1020 An error occurred while deleting tenant.

Response Description

the deleted tenant object with its parameter deleted set to true

Response Sample
{
"deleted": true,
"description": "String",
"event_rate_limit": 42,
"flow_rate_limit": 42,
"id": 42,
"name": "String"
}

GET /config/extension_management/extensions DEPRECATED

Retrieve a list of extensions.
Table 2725. GET /config/extension_management/extensions resource details
MIME Type
application/json

Table 2726. GET /config/extension_management/extensions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
sort query Optional String text/plain Optional - This
parameter is used to
sort the elements in a
list.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 1339

 Table 2726. GET /config/extension_management/extensions request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2727. GET /config/extension_management/extensions response codes

HTTP Response
Code Unique Code Description
200 The requested list of extensions has been retrieved.
422 22608 The supplied filter is invalid.
422 22615 Unknown status used in filter.
422 22610 The selected field cannot be utilized for sorting.
422 22609 Only top-level-elements of the root entity can be
sorted on.
500 22602 An error has occurred while trying to retrieve the
list of extensions.

Response Description

A list of extensions. Each extension contains the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this
extension.
v exported_qradar_version - String - The version of the QRadar deployment this
extension was exported from.
v min_qradar_version - String - The minimum QRadar version required for the
extension to function properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to
QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to
QRadar, represented as number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed,
represented as number of milliseconds since Unix epoch.

1340 QRadar API Reference Guide

v full_uninstall - Boolean - True if the extension and all of its contents can be
fully uninstalled.
v status - String - The tag corresponding to the current status of the extension.
Possible values are UPLOADED, UPLOADING, INSTALLED, INSTALLING,
INSTALL_FAILED, UNINSTALLED, UNINSTALLING, UNINSTALL_FAILED,
NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension.
Each object has the following fields:
content_type_id - Number - The ID of the content type.
content_type_name - String - The name of the content type.
identifier - String - The descriptive name/identifier of the item.

Response Sample
[
{
"file_location": "/store/cmt/exports/custom_rule.zip",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 3,
"identifier": "No Description Supplied",
"content_type_name": "custom_rule"
},
{
"content_type_id": 28,
"identifier": "Asset Reconciliation IPv4 Blacklist",
"content_type_name": "reference_data"
},
{
"content_type_id": 28,
"identifier": "Asset Reconciliation IPv4 Whitelist",
"content_type_name": "reference_data"
},
{
"content_type_id": 32,
"identifier": "No Description Supplied",
"content_type_name": "reference_data_rules"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150825133843",
"size": 8575,
"id": 59,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "custom_rule.xml",
"install_time": 1440788704856,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440693660702
},
{
"file_location": "/store/cmt/exports/qidmap.xml",
"supported_languages": [
"en_US"
],

Chapter 7. Previous REST API versions 1341

 "contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmap.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}
]

POST /config/extension_management/extensions DEPRECATED

Uploads the supplied extension file to the IBM Security QRadarsystem.
Table 2728. POST /config/extension_management/extensions resource details
MIME Type
application/json

Table 2729. POST /config/extension_management/extensions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

1342 QRadar API Reference Guide

Table 2730. POST /config/extension_management/extensions request body details
Parameter Data Type MIME Type Description Sample
file File application/x-gzip Required - The File
Extension file. Must be
a properly-formed
QRadar
extension/content
export, either an XML
file or an XML within a
ZIP or TAR.GZ archive.
Must be provided with
MIME type
application/xml,
application/zip,
application/x-gzip or
multipart/form-data

Table 2731. POST /config/extension_management/extensions response codes

HTTP Response
Code Unique Code Description
201 The supplied extension file has been uploaded.
409 22613 The supplied extension file can not be uploaded
because it shares the same hub_id and version as
one of the extensions in the system.
422 22607 The supplied extension could not be validated
successfully
422 22616 The supplied manifest for the extension is invalid.
500 22602 An error has occurred while trying to upload the
extension file.

Response Description

An extension containing the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this
extension.
v exported_qradar_version - String - The version of the QRadar deployment this
extension was exported from.
v min_qradar_version - String - The minimum QRadar version required for the
extension to function properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to
QRadar.
v installed_by - String The user or authorized service that installed the extension.

Chapter 7. Previous REST API versions 1343

 v add_time - Number - The date/time at which the extension was added to
QRadar, represented as number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed,
represented as number of milliseconds since Unix epoch.
v full_uninstall - Boolean - True if the extension and all of its contents can be
fully uninstalled.
v status - String - The tag corresponding to the current status of the extension.
Possible values are UPLOADED, UPLOADING, INSTALLED, INSTALLING,
INSTALL_FAILED, UNINSTALLED, UNINSTALLING, UNINSTALL_FAILED,
NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension.
Each object has the following fields:
content_type_id - Number - The ID of the content type.
content_type_name - String - The name of the content type.
identifier - String - The descriptive name/identifier of the item.

Response Sample
{
"file_location": "/store/cmt/exports/qidmaps.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmaps.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}

GET /config/extension_management/extensions/{extension_id}
DEPRECATED
Retrieves an extension based on the supplied extension ID.
Table 2732. GET /config/extension_management/extensions/{extension_id} resource details
MIME Type
application/json

1344 QRadar API Reference Guide

Table 2733. GET /config/extension_management/extensions/{extension_id} request
parameter details
Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2734. GET /config/extension_management/extensions/{extension_id} response codes

HTTP Response
Code Unique Code Description
200 The requested extension has been retrieved.
404 22603 The requested extension cannot be found.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the
requested extension.

Response Description

An extension containing the following fields:

v id - Number - Unique ID of this extension within the QRadar deployment.
v name - String - The name of the extension.
v description - String - The description of the extension.
v author - String - The author (person who generated) the extension.
v version - String - The version of the extension.
v supported_languages - Array of strings - The language tags supported by this
extension.
v exported_qradar_version - String - The version of the QRadar deployment this
extension was exported from.
v min_qradar_version - String - The minimum QRadar version required for the
extension to function properly.
v file_location - String - The location of the extension file on disk.
v size - Number - The size in bytes of the extension file.
v signed - String - The state of the extension's signature.
v beta - Boolean - True if the extension is considered to be beta or experimental.
v added_by - String - The user or authorized service that added the extension to
QRadar.
v installed_by - String The user or authorized service that installed the extension.
v add_time - Number - The date/time at which the extension was added to
QRadar, represented as number of milliseconds since Unix epoch.
v install_time - Number - The date/time at which the extension was installed,
represented as number of milliseconds since Unix epoch.

Chapter 7. Previous REST API versions 1345

 v full_uninstall - Boolean - True if the extension and all of its contents can be
fully uninstalled.
v status - String - The tag corresponding to the current status of the extension.
Possible values are UPLOADED, UPLOADING, INSTALLED, INSTALLING,
INSTALL_FAILED, UNINSTALLED, UNINSTALLING, UNINSTALL_FAILED,
NOT_INSTALLED, PREVIEWING, NONE.
v contents - Array of objects representing an item contained within the extension.
Each object has the following fields:
content_type_id - Number - The ID of the content type.
content_type_name - String - The name of the content type.
identifier - String - The descriptive name/identifier of the item.

Response Sample
{
"file_location": "/store/cmt/exports/qidmaps.xml",
"supported_languages": [
"en_US"
],
"contents": [
{
"content_type_id": 27,
"identifier": "",
"content_type_name": "qidmap"
}
],
"status": "INSTALLED",
"signed": "NOT_SIGNED",
"full_uninstall": false,
"min_qradar_version": null,
"beta": false,
"version": "7.2.6.20150821144442",
"size": 675,
"id": 2,
"author": "admin",
"description": null,
"exported_qradar_version": null,
"name": "qidmaps.xml",
"install_time": 1440612194941,
"installed_by": "admin",
"added_by": "admin",
"add_time": 1440555001236
}

POST /config/extension_management/extensions/{extension_id}
DEPRECATED
Install an extension based on the supplied extension ID. This is an asynchronous
action.

Installs the Extension corresponding to the supplied extension ID Alternatively can

be used to preview an extension, showing what values are applied if the extension
is installed.
Table 2735. POST /config/extension_management/extensions/{extension_id} resource
details
MIME Type
application/json

1346 QRadar API Reference Guide

Table 2736. POST /config/extension_management/extensions/{extension_id} request
parameter details
Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension.
action_type query Required String text/plain Required - The desired
action to take on the
Extension (INSTALL or
PREVIEW)
overwrite query Optional Boolean text/plain Optional - If true, any
existing items on the
importing system will be
overwritten if the
extension contains the
same items. If false,
existing items will be
preserved, and the
corresponding items in
the extension will be
skipped.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2737. POST /config/extension_management/extensions/{extension_id} response

codes
HTTP Response
Code Unique Code Description
202 The requested install or preview task has been
started.
404 22603 The requested extension cannot be found.
404 22604 The task status for status_id cannot be found.
409 22612 The supplied extension cannot be
installed/previewed because it is already installed
409 22611 The supplied extension cannot be
installed/previewed because it is already in the
process of being installed/previewed.
409 22618 The requested task can not be initiated because
another preview/install task is already in progress.
422 22605 The supplied action type is invalid
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to install or
preview the requested extension.

Chapter 7. Previous REST API versions 1347

 Response Description

A JSON string depicting the accepted task for previewing/installing an extension:

v message - String - description of the accepted task.
v status_location - String - the url of the task status.
v current_status - String - a JSON object depicting the current status of the task.

Response Sample
{
"message": "Uninstalling an extension",
"status_location":
"https://1.1.1.1/console/restapi/api/config/extension_management/
extensions_task_status/101",
"current_status": {
"progress": 0,
"result_url": null,
"cancelled_by": null,
"status": "QUEUED",
"task_components": null,
"modified": 1440891410849,
"id": 101,
"message": "Queued Extension uninstallation task for extension id 2",
"created_by": "admin",
"created": 1440891410629,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891410847,
"completed": null
}
}

DELETE /config/extension_management/extensions/
{extension_id} DEPRECATED
Uninstall an extension based on the supplied extension ID. This is an
asynchronous action.
Table 2738. DELETE /config/extension_management/extensions/{extension_id} resource
details
MIME Type
application/json

Table 2739. DELETE /config/extension_management/extensions/{extension_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
extension_id path Required Number text/plain Required - The id of the
(Integer) extension to be
uninstalled.

1348 QRadar API Reference Guide

Table 2739. DELETE /config/extension_management/extensions/{extension_id} request
parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2740. DELETE /config/extension_management/extensions/{extension_id} response

codes
HTTP Response
Code Unique Code Description
202 The requested uninstall task has been started.
404 22603 The requested extension cannot be found.
404 22604 The task status for status_id cannot be found.
409 22611 The supplied extension cannot be uninstalled
because it is already in the process of being
uninstalled.
409 22617 The extension can not be uninstalled because it is
already in the process of being previewed/installed.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to uninstall an
extension.

Response Description

A JSON string depicting the accepted task for uninstalling an extension:

v message - String - description of the accepted task.
v status_location - String - the url of the task status.
v current_status - String - a JSON object depicting the current status of the task.

Response Sample
{
"message": "Uninstalling an extension",
"status_location":
"https://1.1.1.1/console/restapi/api/config/extension_management/
extensions_task_status/101",
"current_status": {
"progress": 0,
"result_url": null,
"cancelled_by": null,
"status": "QUEUED",
"task_components": null,
"modified": 1440891410849,
"id": 101,
"message": "Queued Extension uninstallation task for extension id 2",
"created_by": "admin",
"created": 1440891410629,
"maximum": 0,

Chapter 7. Previous REST API versions 1349

 "cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891410847,
"completed": null
}
}

GET /config/extension_management/extensions_task_status/
{status_id} DEPRECATED
Retrieves the tasks status based on the status ID.
Table 2741. GET /config/extension_management/extensions_task_status/{status_id}
resource details
MIME Type
application/json

Table 2742. GET /config/extension_management/extensions_task_status/{status_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
status_id path Required Number text/plain Required - the id of the
(Integer) task status.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2743. GET /config/extension_management/extensions_task_status/{status_id}

response codes
HTTP Response
Code Unique Code Description
200 The requested task status has been retrieved.
404 22604 The task status for status_id cannot be found.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the
task status.

Response Description

A task status containing the following fields:

v id - Number - The ID of the task status.
v name - String - The name of the task status.
v status - String - A string that represents the current state of the task status.
v message - String - A message regarding the current state of the task.

1350 QRadar API Reference Guide

v progress - Number - The current progress of the task
v minimum - Number - The minimum progress of the task.
v maximum - Number - The maximum progress of the task.
v created_by - String - The username of the user who created the task.
v cancelled_by - String - The username of the user who cancelled the task.
v created - Number - The date/time at which this task was created, represented as
number of milliseconds since Unix epoch.
v started - Number - The date/time at which this task was started, represented as
number of milliseconds since Unix epoch.
v modified - Number - The date/time at which this task was last modified,
represented as number of milliseconds since Unix epoch.
v completed - Number - The date/time at which this task was completed,
represented as number of milliseconds since Unix epoch.
v result_url - String - The url where the result can be viewed.
v cancel_requested - Boolean - True if cancel has been requested.
v child_tasks - Array - Array of child task id's that are executed asynchronously
from this task.
v task_components - Array - Array of task components that are executed
sequentially.

Response Sample
{
"progress": 0,
"result_url": "",
"cancelled_by": "",
"status": "COMPLETED",
"task_components": null,
"modified": 1440891517961,
"id": 102,
"message": "Completed Extension uninstallation task for extension id 56",
"created_by": "admin",
"created": 1440891514006,
"maximum": 0,
"cancel_requested": false,
"name": "Extension uninstallation task",
"child_tasks": null,
"started": 1440891514041,
"completed": 1440891515224
}

GET /config/extension_management/extensions_task_status/
{status_id}/results DEPRECATED
Retrieves the tasks status results based on the status ID.
Table 2744. GET /config/extension_management/extensions_task_status/{status_id}/results
resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1351

 Table 2745. GET /config/extension_management/extensions_task_status/{status_id}/results
request parameter details
MIME
Parameter Type Optionality Data Type Type Description
status_id path Required Number text/plain Required - The id of
(Integer) the task status.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2746. GET /config/extension_management/extensions_task_status/{status_id}/results

response codes
HTTP Response
Code Unique Code Description
200 The requested results of the task status have been
retrieved.
404 22604 The task status for status_id cannot be found.
404 22614 The task results are not available.
422 22606 A supplied numeric parameter was not positive.
500 22602 An error has occurred while trying to retrieve the
results of a task status.

Response Description

A JSON object representing the result of an Extension preview, install or uninstall

task. It contains the following fields:
v id - Number - The ID of the extension.
v task_type - String - The type of task that was issued against the Extension.
v content - Array - An array of JSON objects representing the contents of the
extension and what action is associated with each content item for the task that
was executed. Each content item contains the following fields:
name - String - The name of the content item.
content_type_id - Number - The ID of the type of the content item.
content_type_name - String - The name of the type of the content item.
action - String - The action taken for the content item.

Response Sample
{
"id": 56,
"task_type": "UNINSTALL",
"content": [
{
"content_type_id": 3,
"name": "SYSTEM-1607",

1352 QRadar API Reference Guide

 "action": "SKIP",
"content_type_name": "custom_rule"
},
{
"content_type_id": 28,
"name": "Asset Reconciliation IPv4 Whitelist",
"action": "SKIP",
"content_type_name": "reference_data"
}
]
}

GUI application framework endpoints

Use the references for REST API V5.1 GUI application framework endpoints.

GET /gui_app_framework/application_creation_task
DEPRECATED
Retrieve status details.

Retrieve a list of status details of all asynchronous requests to create applications.

Table 2747. GET /gui_app_framework/application_creation_task resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 2748. GET /gui_app_framework/application_creation_task response codes
HTTP Response
Code Unique Code Description
200 Application Creation Request list was retrieved.
500 1020 An error occurred while attempting to retrieve the
list of status details.

Response Description

The details of the requests to create applications.

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

Chapter 7. Previous REST API versions 1353

 POST /gui_app_framework/application_creation_task
DEPRECATED
Creates a new application within the Application framework.

Create a new application within the Application framework, and register it with
QRadar. The application is created asynchronously. A reference to the
application_id is returned and should be used in subsequent API calls to determine
the status of the application installation.
Table 2749. POST /gui_app_framework/application_creation_task resource details
MIME Type
application/json

Table 2750. POST /gui_app_framework/application_creation_task request body details

Parameter Data Type MIME Type Description Sample

package zip application/zip A zip file, that contains null

custom code, and a
application manifest JSON file
descriptor

Table 2751. POST /gui_app_framework/application_creation_task response codes

HTTP Response
Code Unique Code Description
201 The application was installed and registered
successfully.

409 1008 An application with that UUID is already installed.

Only an upgrade or delete can be performed in this
state.
422 1005 The provided application is invalid. See messages
for further details.
500 1020 The application could not be created.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"

1354 QRadar API Reference Guide

 }
]
}
]

GET /gui_app_framework/application_creation_task/
{application_id} DEPRECATED
Retrieve a list of status details of a asynchronous request to create application.
Table 2752. GET /gui_app_framework/application_creation_task/{application_id} resource
details
MIME Type
application/json

Table 2753. GET /gui_app_framework/application_creation_task/{application_id} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - Get the status
(Integer) details of this application
defined by application_id
returned by the initial
POST on
application_creation_task.

Table 2754. GET /gui_app_framework/application_creation_task/{application_id} response

codes
HTTP Response
Code Unique Code Description
200 Application Creation Request list was retrieved.
404 1002 The application_id is invalid or could not be found.
500 1020 An error occurred while attempting to retrieve the
list of status details.

Response Description

The details of the request to create application.

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"

Chapter 7. Previous REST API versions 1355

 }
]
}
]

POST /gui_app_framework/application_creation_task/
{application_id} DEPRECATED
Cancel a new application install within the Application framework.

Use this endpoint to cancel a new application install within the Application
framework. The application_id and a status are required.
Table 2755. POST /gui_app_framework/application_creation_task/{application_id} resource
details
MIME Type
application/json

Table 2756. POST /gui_app_framework/application_creation_task/{application_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
application_id path Required Number text/plain Required - The
(Integer) application_id to cancel
installing.
status query Required String text/plain Required - The status to
update the application
install to. Currently only
CANCELLED is
supported

Table 2757. POST /gui_app_framework/application_creation_task/{application_id} response

codes
HTTP Response
Code Unique Code Description
200 The application installation was canceled and
unregistered successfully.
404 1002 The application_id is invalid or could not be found.
422 1005 The status is not valid.
500 1020 An error occurred when attempting to update the
Application request state.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{

1356 QRadar API Reference Guide

 "code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

GET /gui_app_framework/applications DEPRECATED

Retrieve list of applications

Retrieve a list of applications that are installed on the console, with their manifest
json structures and current status.
Table 2758. GET /gui_app_framework/applications resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 2759. GET /gui_app_framework/applications response codes
HTTP Response
Code Unique Code Description
200 The database list was retrieved.
500 1020 An error occurred while attempting to retrieve the
list of applications.

Response Description

The list of applications.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",

Chapter 7. Previous REST API versions 1357

 "required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy of
most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

1358 QRadar API Reference Guide

 "gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

GET /gui_app_framework/applications/{application_id}
DEPRECATED
Retrieve specific application

Retrieve a specific application installed on the console with manifest json structure
and current status.
Table 2760. GET /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1359

 Table 2761. GET /gui_app_framework/applications/{application_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - Get specific
(Integer) installed application
defined by application_id
returned by the initial
POST on
application_creation_task.

Table 2762. GET /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
200 The application was retrieved.
404 1002 The application_id is invalid or could not be found.
500 1020 An error occurred while attempting to retrieve the
application.

Response Description

The specific application.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy of
most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}

1360 QRadar API Reference Guide

],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",
"javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},

Chapter 7. Previous REST API versions 1361

 {
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

POST /gui_app_framework/applications/{application_id}
DEPRECATED
Update an Application

Start or stop an application by setting status to RUNNING or STOPPED

respectively.
Table 2763. POST /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 2764. POST /gui_app_framework/applications/{application_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - The
(Integer) applicationId of the
application to
update.

1362 QRadar API Reference Guide

Table 2764. POST /gui_app_framework/applications/{application_id} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
status query Required String text/plain Required - The
status of the
application to set to
RUNNING or
STOPPED.

Table 2765. POST /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
200 The application has been successfully updated
404 1002 The application_id does not exist.
409 1008 The application is locked by another process.
422 1005 The application status is not valid.
500 1020 An error occurred while attempting to update the
application.

Response Description

Application structure including application status.

Response Sample
[
{
"application_state":{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
RUNNING,
STOPPED,
ERROR>",
"error_message": "String"
}
,
"manifest":{

"name":"Sample Application",
"description":"An example of how to create an application manifest",
"version":"0.0.1",

"areas": [
{
"id":"Qapp1_HelloWorld",
"url":"http://9.21.118.58:5000",
"text":"QApp1",
"description":"Loading a dockerised web app into a tab
inside Qradar",
"required_capabilities":["ADMIN"]
}
],

"dashboard_items": [
{
"text":"Sample Item",
"description":"Sample dashboard item that is a copy

Chapter 7. Previous REST API versions 1363

 of most recent offenses",
"rest_method":"sampleDashboardItem",
"required_capabilities":["ADMIN"]
}
],

"rest_methods": [
{
"name":"sampleDashboardItem",
"url":"/static/sampleDashboardItemResponse.json",
"method":"GET",
"argument_names":[],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleToolbarMethod",
"url":"/static/sampleToolbarButtonResponse.json",
"method":"GET",
"argument_names":["context"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleIPInformation",
"url":"/static/sampleIPInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleUserInformation",
"url":"/static/sampleUserInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"sampleURLInformation",
"url":"/static/sampleURLInformationResponse.json",
"method":"GET",
"argument_names":["metaDataContext"],
"required_capabilities":["ADMIN"]
},
{
"name":"addToReferenceSet",
"url":"/addToReferenceSet",
"method":"GET",
"argument_names":["data"]
}
],

"configuration_pages": [
{
"text":"Open IBM.com",
"description":"Loading IBM.com in a new window",
"icon":null,
"url":"https://www.ibm.com/us/en/",
"required_capabilities":["ADMIN"]
}
],

"gui_actions": [
{
"id":"addToReferenceSet",
"text":"Add To Reference Set",
"description":"Adds to a reference set",
"icon":null,
"rest_method":"addToReferenceSet",

1364 QRadar API Reference Guide

 "javascript":"alert(result)",
"groups":[ "ipPopup" ],
"required_capabilities":[ "ADMIN" ]
},
{
"id":"sampleToolbarButton",
"text":"Sample Toolbar Button",
"description":"Sample toolbar button that calls a REST method,
passing an offense ID along",
"icon":null,
"rest_method":"sampleToolbarMethod",
"javascript":"alert(result)",
"groups":[ "OffenseListToolbar" ],
"required_capabilities":[ "ADMIN" ]
}
],

"page_scripts": [
{
"app_name":"SEM",
"page_id":"OffenseList",
"scripts":["/static/sampleScriptInclude.js"]
}
],

"metadata_providers": [
{
"rest_method":"sampleIPInformation",
"metadata_type":"ip"
},
{
"rest_method":"sampleUserInformation",
"metadata_type":"userName"
},
{
"rest_method":"sampleURLInformation",
"metadata_type":"ariel:URL"
}
]
}
}
]

PUT /gui_app_framework/applications/{application_id}
DEPRECATED
Upgrade an application.

Upgrade an application.
Table 2766. PUT /gui_app_framework/applications/{application_id} resource details
MIME Type
application/json

Table 2767. PUT /gui_app_framework/applications/{application_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain null
(Integer)

Chapter 7. Previous REST API versions 1365

 Table 2768. PUT /gui_app_framework/applications/{application_id} request body details
Parameter Data Type MIME Type Description Sample
package zip application/zip A zip file, that contains null
custom code, and a
application manifest
JSON file descriptor

Table 2769. PUT /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
202 The request for an application upgrade was
accepted.
404 1002 The application_id is invalid or could not be found.
409 1008 The application is locked by another process.
422 1005 The provided application is invalid. See messages
for further details.
500 1020 The application could not be created.

Response Description

application id and status

Response Sample
[
{
"application_id":"101",
"status":"String <one of: CREATING,
UPGRADING,
COMPLETED,
CANCELLED,
ERROR>",
"error_messages": [
{
"code":"String <one of: ERROR_DB_UNAVAILABLE,
ERROR_FRAMEWORK_UNAVAILABLE,
ERROR_CREATING_IMAGE,
ERROR_STARTING_CONTAINER>",
"message":"String"
}
]
}
]

DELETE /gui_app_framework/applications/{application_id}
DEPRECATED
Delete an Application.
Table 2770. DELETE /gui_app_framework/applications/{application_id} resource details
MIME Type
text/plain

1366 QRadar API Reference Guide

 Table 2771. DELETE /gui_app_framework/applications/{application_id} request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
application_id path Required Number text/plain Required - The
(Integer) applicationId of the
application to delete.

Table 2772. DELETE /gui_app_framework/applications/{application_id} response codes

HTTP Response
Code Unique Code Description
204 The application has been successfully unregistered.
404 1002 The application_id does not exist.
409 1008 The application is locked by another process.
500 1020 An error occurred while attempting to delete the
application.

Response Description

Successful response code 204 No content.

Response Sample

Help endpoints
Use the references for REST API V5.1 Help endpoints.

GET /help/capabilities DEPRECATED

List all QRadar API capabilities

List the QRadar API capabilities. The response will contain all available RESTful
resources We allow every authenticated user to access this method, but restrict the
output based on their user capabilities
Table 2773. GET /help/capabilities resource details
MIME Type
application/json

Table 2774. GET /help/capabilities request parameter details

Parameter Type Optionality Data Type MIME Type Description
categories query Optional Array<String> application/json Optional - Restrict your
search to this list of
capabilities
paths query Optional Array<String> application/json Optional - Restrict your
search to these paths only
httpMethods query Optional Array<String> application/json Optional - Restrict your
search to these HTTP
methods
version query Optional String text/plain Optional - Restrict your
search to this version (or
below)
showExperimental query Optional Boolean text/plain Optional - If true, we
include experimental
endpoints (default is true)

Chapter 7. Previous REST API versions 1367

 Table 2774. GET /help/capabilities request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements that
are returned in the list to
a specified range. The list
is indexed starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Table 2775. GET /help/capabilities response codes

HTTP Response
Code Unique Code Description
200 The API capabilities list was retrieved.
422 1001 Invalid input
422 1002 Our internal mapping has an unexpected structure
or contains an invalid element value
500 1003 A generic error has occurred while retrieving our
capabilities

Response Description

Endpoints you are able to access, mapped against versions they belong to. If full
content is not requested, values will be null.

Response Sample
{
"categories": [
{
"apis": [
{
"httpMethod": "String <one of: OPTIONS,
GET,
HEAD,
POST,
PUT,
DELETE,
TRACE,
CONNECT,
PATCH>",
"operations": [
{
"additionalFiltering": true,
"deprecated": true,
"description": "String",
"errorResponses": [
{
"code": 42,
"description": "String",
"uniqueCode": 42
}
],
"httpMethod": "String",
"lastSupportedVersion": "String",
"parameters": [

1368 QRadar API Reference Guide

 {
"allowMultiple": true,
"defaultValue": "String",
"description": "String",
"name": "String",
"pathIndex": 42,
"required": true,
"source": "String",
"supportedContentTypes": [
{
"dataType": "String",
"mimeType": "String",
"sample": "String"
}
]
}
],
"removalTarget": "String",
"removed": true,
"responseClass": "String",
"responseDescription": {
"description": "String",
"properties": [
{
"description": "String",
"name": "String"
}
]
},
"successResponses": [
{
"code": 42,
"description": "String"
}
],
"summary": "String",
"supportedContentTypes": [
{
"dataType": "String",
"mimeType": "String",
"sample": "String"
}
],
"version": "String",
"visibility": "String"
}
],
"path": "String"
}
],
"path": "String"
}
],
"path": "String"
}

QRadar Vulnerability Manager endpoints

Use the references for REST API V5.1 QRadar Vulnerability Manager endpoints.

GET /qvm/assets DEPRECATED

List the assets with discovered vulnerabilities present in the asset model. The
response contains all available RESTful resources.

Chapter 7. Previous REST API versions 1369

 Table 2776. GET /qvm/assets resource details
MIME Type
application/json

Table 2777. GET /qvm/assets request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 2778. GET /qvm/assets response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by asset
completed successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of assets data

Response Sample

GET /qvm/filters DEPRECATED

Get a list of the allowable filters that can be used or applied against /qvm
endpoints.
v /qvm/assets
v /qvm/vulns
v /qvm/vulninstances
v /qvm/openservices
v /qvm/networks
v queries
Table 2779. GET /qvm/filters resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 2780. GET /qvm/filters response codes
HTTP Response
Code Unique Code Description
200 The search executed successfully

1370 QRadar API Reference Guide

Table 2780. GET /qvm/filters response codes (continued)
HTTP Response
Code Unique Code Description
420 9102 An error occurred while executing the search

Response Description

list of Filters.

Response Sample

GET /qvm/network DEPRECATED

List the networks present in the asset model with vulnerabilities present. The
response contains all available RESTful resources
Table 2781. GET /qvm/network resource details
MIME Type
application/json

Table 2782. GET /qvm/network request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 2783. GET /qvm/network response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by network
completed successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of network related data

Response Sample

GET /qvm/openservices DEPRECATED

List the openservices present in the asset model with vulnerabilities present. The
response will contain all available RESTful resources
Table 2784. GET /qvm/openservices resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1371

 Table 2785. GET /qvm/openservices request parameter details
Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 2786. GET /qvm/openservices response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by open
service completed successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of open services related data

Response Sample

GET /qvm/savedsearches DEPRECATED

Get a list of saved searches that can be applied against /qvm endpoints.

A list of saved searches that can be applied against the following endpoints:
v /qvm/assets
v /qvm/vulns
v /qvm/vulninstances
v /qvm/openservices
v /qvm/networks
v queries
Table 2787. GET /qvm/savedsearches resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 2788. GET /qvm/savedsearches response codes
HTTP Response
Code Unique Code Description
200 The request to retrieve the list of saved searches
completed successfully
420 9103 An error occurred while trying to retrieve the list of
saved searches

1372 QRadar API Reference Guide

Response Description

list of saved searches. Per saved search: id, name and list fo filters that make up
this saved search

Response Sample

POST /qvm/tickets/assign DEPRECATED

Update the remediation ticket for the assigned vulnerability
Table 2789. POST /qvm/tickets/assign resource details
MIME Type
application/json

Table 2790. POST /qvm/tickets/assign request body details

Parameter Data Type MIME Type Description Sample
ticket JSON application/json [ { "ticketId":"1000",
'ticketId': required. "status":"Opened", "priority":"Critical",
"dueDate":"2015-01-04 12:00:00",
"assignedUser":"admin",
'priority' one of required :
"comment":"testComment",
Critical, Major, Minor,
"commentUser":"admin" } ]
Warning, Informational.

'status' one of required :

Opened, Fixed, Re-Opened,
Closed .

'dueDate' Optional :
yyyy-MM-dd HH:mm:ss.

'assignedUser' required : valid

QRadar user account name or
a valid email.

'comment' Optional : text.

'commentUser' Optional :
valid QRadar user account
name, if not included will
default current API user.

Table 2791. POST /qvm/tickets/assign response codes

HTTP Response
Code Unique Code Description
200 The request to assign a ticket completed successfully
420 9104 An error occurred while trying to assign a ticket due
to invalid arguments

Response Description

success message if update succeed

Response Sample

GET /qvm/vulninstances DEPRECATED

List the Vulnerability Instances present in the asset model. The response will
contain all available RESTful resources

Chapter 7. Previous REST API versions 1373

 Table 2792. GET /qvm/vulninstances resource details
MIME Type
application/json

Table 2793. GET /qvm/vulninstances request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

Table 2794. GET /qvm/vulninstances response codes

HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities by instance
completed successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of vulnerability instance data

Response Sample

GET /qvm/vulns DEPRECATED

List the Vulnerabilities present in the asset model. The response will contain all
available RESTful resources
Table 2795. GET /qvm/vulns resource details
MIME Type
application/json

Table 2796. GET /qvm/vulns request parameter details

Parameter Type Optionality Data Type MIME Type Description
savedSearchId query Optional String text/plain Id of saved search
savedSearchName query Optional String text/plain Saved search name
filters query Optional Array<Object> application/json List of JSON objects for
application of bespoke
query search dataset filter.
Format
[{"parameter":"<value>",
"operator":"<value>",
"value":"<value>"}] e.g.
[{"parameter":"IPv4
Address",
"operator":"Equals",
"value":"10.100.85.111"}]

1374 QRadar API Reference Guide

 Table 2797. GET /qvm/vulns response codes
HTTP Response
Code Unique Code Description
200 The request to retrieve vulnerabilities completed
successfully
420 9101 Invalid search parameters, search cannot be
performed

Response Description

list of vulnerability data

Response Sample

Reference data endpoints

Use the references for REST API V5.1 reference data endpoints.

GET /reference_data/map_of_sets DEPRECATED

Retrieve a list of all reference map of sets.
Table 2798. GET /reference_data/map_of_sets resource details
MIME Type
application/json

Table 2799. GET /reference_data/map_of_sets request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 7. Previous REST API versions 1375

 Table 2800. GET /reference_data/map_of_sets response codes
HTTP Response
Code Unique Code Description
200 The reference map of sets list has been retrieved
500 1020 An error occurred while attempting to retrieve all of
the reference map of sets

Response Description

A list of all of the reference map of sets. This returns information about the map of
sets but not the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}
]

POST /reference_data/map_of_sets DEPRECATED

Create a new reference map of sets.
Table 2801. POST /reference_data/map_of_sets resource details
MIME Type
application/json

Table 2802. POST /reference_data/map_of_sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference map of sets
to create
element_type query Required String text/plain Required - The element
type for the values
allowed in the reference
map of sets. The allowed
values are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented
in milliseconds since the
Unix Epoch January 1st
1970.
key_label query Optional String text/plain Optional - The label to
describe the keys
value_label query Optional String text/plain Optional - The label to
describe the data values

1376 QRadar API Reference Guide

Table 2802. POST /reference_data/map_of_sets request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
timeout_type query Optional String text/plain Optional - The allowed
values are
"FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last
seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for
example: "1 month" or "5
minutes"
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2803. POST /reference_data/map_of_sets response codes

HTTP Response
Code Unique Code Description
201 A new reference map of sets was successfully
created
409 1004 The reference map of sets could not be created, the
name provided is already in use. Please change the
name and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference map of sets

Response Description

Information about the newly created reference map of sets.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

Chapter 7. Previous REST API versions 1377

 GET /reference_data/map_of_sets/{name} DEPRECATED
Return the reference map of sets identified by name.

Return the reference map of sets identified by name. If provided, limit specifies
the number of records to return starting at the record that is specified by offset. If
the number is not specified, then the first 20 records is returned.
Table 2804. GET /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 2805. GET /reference_data/map_of_sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to retrieve
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2806. GET /reference_data/map_of_sets/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference map of sets has been retrieved
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the
reference map of sets

Response Description

The reference map of sets identified by the name specified in the request. The
portion of the reference map of sets' data returned is dependent on the limit and
offset specified in the request.

1378 QRadar API Reference Guide

Response Sample
{
"creation_time": 42,
"data": {
"String": [
{
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
]
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/map_of_sets/{name} DEPRECATED

Add or update an element in a reference map of sets.
Table 2807. POST /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

Table 2808. POST /reference_data/map_of_sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to add or update
an element in
key query Required String text/plain Required - The key of
the set to add or
update
value query Required String text/plain Required - The value to
add or update in the
reference map of sets.
Note: Date values must
be represented in
milliseconds since the
Unix Epoch January 1st
1970.
source query Optional String text/plain Optional - This
indicates where the
data originated. The
default value is
'reference data api'

Chapter 7. Previous REST API versions 1379

 Table 2808. POST /reference_data/map_of_sets/{name} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2809. POST /reference_data/map_of_sets/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference map of sets has had an element added
or updated
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference map of sets

Response Description

Information about the reference map of sets that has had an element added or
updated. This returns information about the reference map of sets but not the
contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

DELETE /reference_data/map_of_sets/{name} DEPRECATED

Remove a map of sets or purge its contents.
Table 2810. DELETE /reference_data/map_of_sets/{name} resource details
MIME Type
application/json

1380 QRadar API Reference Guide

Table 2811. DELETE /reference_data/map_of_sets/{name} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to remove or purge
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference map of sets
should have its
contents purged (true),
keeping the reference
map of sets structure. If
the value is "false" or
not specified the
reference map of sets
will be removed
completely.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2812. DELETE /reference_data/map_of_sets/{name} response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Map of Sets deletion or purge
request has been accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference map of sets

Response Description

A status_id to retrieve the Reference Data Map of Sets deletion or purge status
with at /api/system/task_management/task/{status_id}. You can also find the url
in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [

Chapter 7. Previous REST API versions 1381

 42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/map_of_sets/{name}/dependents
DEPRECATED
Retrieves the dependents of the Map of Sets.

Initiates the retrieval of dependents of the Map of Sets

Table 2813. GET /reference_data/map_of_sets/{name}/dependents resource details
MIME Type
application/json

1382 QRadar API Reference Guide

Table 2814. GET /reference_data/map_of_sets/{name}/dependents request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets retrieve dependents
for
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2815. GET /reference_data/map_of_sets/{name}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Map of Sets dependent retrieval
request has been accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the
dependents for the reference map of sets

Response Description

A status_id to retrieve the Reference Data Map of Sets dependent retrieval status
with at /api/system/task_management/task/{status_id}. You can also find the url
in the Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,

Chapter 7. Previous REST API versions 1383

 CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/map_of_sets/{name}/value/{key}
DEPRECATED
Remove a value from a reference map of sets.
Table 2816. DELETE /reference_data/map_of_sets/{name}/value/{key} resource details
MIME Type
application/json

Table 2817. DELETE /reference_data/map_of_sets/{name}/value/{key} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets to remove a value
from
key path Required String text/plain Required - The key of
the value to remove

1384 QRadar API Reference Guide

Table 2817. DELETE /reference_data/map_of_sets/{name}/value/{key} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
value query Required String text/plain Required - The value to
remove from the
reference map of sets.
Note: Date values must
be represented in
milliseconds since the
Unix Epoch January 1st
1970.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2818. DELETE /reference_data/map_of_sets/{name}/value/{key} response codes

HTTP Response
Code Unique Code Description
200 The reference map of sets has had a value removed
404 1002 The reference map of sets does not exist
404 1003 The record does not exist in the reference map of
sets
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the
reference map of sets value

Response Description

Information about the reference map of sets that had a value removed. This returns
information about the reference map of sets but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

Chapter 7. Previous REST API versions 1385

 GET /reference_data/maps DEPRECATED
Retrieve a list of all reference maps.
Table 2819. GET /reference_data/maps resource details
MIME Type
application/json

Table 2820. GET /reference_data/maps request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2821. GET /reference_data/maps response codes

HTTP Response
Code Unique Code Description
200 The reference map list has been retrieved
500 1020 An error occurred while attempting to retrieve all of
the reference maps

Response Description

A list of all of the reference maps. This returns information about the maps but not
the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",

1386 QRadar API Reference Guide

 "number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}
]

POST /reference_data/maps DEPRECATED

Create a new reference map.
Table 2822. POST /reference_data/maps resource details
MIME Type
application/json

Table 2823. POST /reference_data/maps request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference map to
create
key_label query Optional String text/plain Optional - The label to
describe the keys
value_label query Optional String text/plain Optional - The label to
describe the data values
element_type query Required String text/plain Required - The element
type for the values
allowed in the reference
map. The allowed values
are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented
in milliseconds since the
Unix Epoch January 1st
1970.
timeout_type query Optional String text/plain Optional - The allowed
values are
"FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last
seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for
example: "1 month" or "5
minutes"

Chapter 7. Previous REST API versions 1387

 Table 2823. POST /reference_data/maps request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2824. POST /reference_data/maps response codes

HTTP Response
Code Unique Code Description
201 A new reference map was successfully created
409 1004 The reference map could not be created, the name
provided is already in use. Please change the name
and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference map

Response Description

Information about the newly created reference map.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

GET /reference_data/maps/{name} DEPRECATED

Retrieve the reference map identified by name.

Retrieve the reference map identified by name. If it is provided, limit specifies the
number of records to return starting at record that is specified by offset. If the
number is not specified, then the first 20 records are returned.
Table 2825. GET /reference_data/maps/{name} resource details
MIME Type
application/json

1388 QRadar API Reference Guide

Table 2826. GET /reference_data/maps/{name} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
retrieve
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2827. GET /reference_data/maps/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference map has been retrieved
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the
reference map

Response Description

The reference map identified by the name specified in the request. The portion of
the reference map's data returned is dependent on the limit and offset specified in
the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": {
"first_seen": 42,
"last_seen": 42,
"source": "String",

Chapter 7. Previous REST API versions 1389

 "value": "String"
}
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

POST /reference_data/maps/{name} DEPRECATED

Add or update an element in a reference map.
Table 2828. POST /reference_data/maps/{name} resource details
MIME Type
application/json

Table 2829. POST /reference_data/maps/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
add or update an
element in
key query Required String text/plain Required - The key
who's value we want to
add or update
value query Required String text/plain Required - The value to
add or update in the
reference map. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
source query Optional String text/plain Optional - An
indication of where the
data originated. The
default value is
'reference data api'
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

1390 QRadar API Reference Guide

Table 2830. POST /reference_data/maps/{name} response codes
HTTP Response
Code Unique Code Description
200 The reference map has had an element added or
updated
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference map

Response Description

Information about the reference map that had an element added or updated. This
returns information about reference map but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

DELETE /reference_data/maps/{name} DEPRECATED

Remove a reference map or purge its contents.
Table 2831. DELETE /reference_data/maps/{name} resource details
MIME Type
application/json

Table 2832. DELETE /reference_data/maps/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
remove or purge
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference map should
have its contents
purged (true), keeping
the reference map
structure. If the value is
"false" or not specified
the reference map will
be removed completely.

Chapter 7. Previous REST API versions 1391

 Table 2832. DELETE /reference_data/maps/{name} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2833. DELETE /reference_data/maps/{name} response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Maps deletion or purge request
has been accepted and is in progress
404 1002 The reference map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference map

Response Description

A status_id to retrieve the Reference Data Maps deletion or purge status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,

1392 QRadar API Reference Guide

 PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/maps/{name}/dependents DEPRECATED

Retrieves the dependents of the Map.
Table 2834. GET /reference_data/maps/{name}/dependents resource details
MIME Type
application/json

Table 2835. GET /reference_data/maps/{name}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map
retrieve dependents for
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Chapter 7. Previous REST API versions 1393

 Table 2836. GET /reference_data/maps/{name}/dependents response codes
HTTP Response
Code Unique Code Description
202 The Reference Data Maps dependent retrieval
request has been accepted and is in progress
404 1002 The reference Map does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the
dependents for the reference map

Response Description

A status_id to retrieve the Reference Data Maps dependent retrieval status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,

1394 QRadar API Reference Guide

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/maps/{name}/value/{key} DEPRECATED

Remove a value from a reference map.
Table 2837. DELETE /reference_data/maps/{name}/value/{key} resource details
MIME Type
application/json

Table 2838. DELETE /reference_data/maps/{name}/value/{key} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map to
remove a value from
key path Required String text/plain Required - The key of
the value to remove
value query Required String text/plain Required - The value to
remove from the
reference map. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2839. DELETE /reference_data/maps/{name}/value/{key} response codes

HTTP Response
Code Unique Code Description
200 The reference map has had a value removed
404 1002 The reference map does not exist
404 1003 The record does not exist in the reference map
422 1005 A request parameter is not valid

Chapter 7. Previous REST API versions 1395

 Table 2839. DELETE /reference_data/maps/{name}/value/{key} response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred while attempting to remove the
value from the reference map

Response Description

Information about the reference map that had an element removed. This returns
information about map but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>",
"value_label": "String"
}

GET /reference_data/sets DEPRECATED

Retrieve a list of all reference sets.
Table 2840. GET /reference_data/sets resource details
MIME Type
application/json

Table 2841. GET /reference_data/sets request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

1396 QRadar API Reference Guide

Table 2841. GET /reference_data/sets request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2842. GET /reference_data/sets response codes

HTTP Response
Code Unique Code Description
200 The reference set list has been retrieved
500 1020 An error occurred while attempting to retrieve all of
the reference sets

Response Description

A list of all of the reference sets. This returns information about the sets but not the
contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}
]

POST /reference_data/sets DEPRECATED

Create a new reference set.
Table 2843. POST /reference_data/sets resource details
MIME Type
application/json

Table 2844. POST /reference_data/sets request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference set being
created

Chapter 7. Previous REST API versions 1397

 Table 2844. POST /reference_data/sets request parameter details (continued)
Parameter Type Optionality Data Type MIME Type Description
element_type query Required String text/plain Required - The element
type for the values
allowed in the reference
set. The allowed values
are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented
in milliseconds since the
Unix Epoch January 1st
1970.
timeout_type query Optional String text/plain Optional - The allowed
values are
"FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last
seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for
example: "1 month" or "5
minutes"
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2845. POST /reference_data/sets response codes

HTTP Response
Code Unique Code Description
201 A new reference set was successfully created
409 1004 The reference set could not be created, the name
provided is already in use. Please change the name
and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference set

Response Description

Information about the newly created reference set.

1398 QRadar API Reference Guide

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/sets/{name} DEPRECATED

Retrieve the reference set identified by name.

Retrieve the reference set that is identified by name. If it is provided, limit

specifies the number of records to return starting at the record that is specified by
offset. If the number is not specified, then the first 20 records are returned.
Table 2846. GET /reference_data/sets/{name} resource details
MIME Type
application/json

Table 2847. GET /reference_data/sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference set to
retrieve
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 7. Previous REST API versions 1399

 Table 2848. GET /reference_data/sets/{name} response codes
HTTP Response
Code Unique Code Description
200 The reference set has been retrieved
404 1002 The reference set does not exist.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the
reference set

Response Description

The reference set identified by the name specified in the request. The portion of the
set's data returned is dependent on the limit and offset specified in the request.

Response Sample
{
"creation_time": 42,
"data": [
{
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
],
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/sets/{name} DEPRECATED

Add or update an element in a reference set.
Table 2849. POST /reference_data/sets/{name} resource details
MIME Type
application/json

Table 2850. POST /reference_data/sets/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference set to add
or update an element in
value query Required String text/plain Required - The value to
add or update in the
reference set. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.

1400 QRadar API Reference Guide

Table 2850. POST /reference_data/sets/{name} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
source query Optional String text/plain Optional - An
indication of where the
data originated. The
default value is
'reference data api'
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2851. POST /reference_data/sets/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference set has had an element added or
updated
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update an element in the reference set

Response Description

Information about the reference set that had an element added or updated. This
returns information about the reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

DELETE /reference_data/sets/{name} DEPRECATED

Remove a reference set or purge its contents.
Table 2852. DELETE /reference_data/sets/{name} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1401

 Table 2853. DELETE /reference_data/sets/{name} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the set to remove or
purge
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference set should
have its contents
purged (true), keeping
the reference set
structure. If the value is
"false" or not specified
the reference set will be
removed completely.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2854. DELETE /reference_data/sets/{name} response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Sets deletion or purge request
has been accepted and is in progress
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference set

Response Description

A status_id to retrieve the Reference Data Sets deletion or purge status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],

1402 QRadar API Reference Guide

 "completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/sets/{name}/dependents DEPRECATED

Retrieves the dependents of the set.
Table 2855. GET /reference_data/sets/{name}/dependents resource details
MIME Type
application/json

Table 2856. GET /reference_data/sets/{name}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the Reference Set
retrieve dependents for

Chapter 7. Previous REST API versions 1403

 Table 2856. GET /reference_data/sets/{name}/dependents request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2857. GET /reference_data/sets/{name}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Sets dependent retrieval request
has been accepted and is in progress
404 1002 The Reference Set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the
dependents for the Reference Set

Response Description

A status_id to retrieve the Reference Data Sets dependent retrieval status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,

1404 QRadar API Reference Guide

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/sets/{name}/value/{value} DEPRECATED

Remove a value from a reference set.
Table 2858. DELETE /reference_data/sets/{name}/value/{value} resource details
MIME Type
application/json

Table 2859. DELETE /reference_data/sets/{name}/value/{value} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference set to
remove a value from
value path Required String text/plain Required - The value to
remove from the
reference set. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.

Chapter 7. Previous REST API versions 1405

 Table 2859. DELETE /reference_data/sets/{name}/value/{value} request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2860. DELETE /reference_data/sets/{name}/value/{value} response codes

HTTP Response
Code Unique Code Description
200 The reference set that had a value removed
404 1002 The reference set does not exist
404 1003 The record does not exist in the reference set
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the
value from the reference set.

Response Description

Information about the reference set that had an value removed. This returns
information about the reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/sets/bulk_load/{name} DEPRECATED

Add or update data in a reference set.
Table 2861. POST /reference_data/sets/bulk_load/{name} resource details
MIME Type
application/json

1406 QRadar API Reference Guide

Table 2862. POST /reference_data/sets/bulk_load/{name} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
set to add or update
data in
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2863. POST /reference_data/sets/bulk_load/{name} request body details

Parameter Data Type MIME Type Description Sample
data Array application/json Required - The JSON ["String", "String",
formated data to add or "String", "String",
update in the reference "String", "String",
set "String", "String",
"String", "String",
"String"]

Table 2864. POST /reference_data/sets/bulk_load/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference set has had data added or updated
400 1001 An error occurred parsing the JSON formatted
message body
404 1002 The reference set does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference set

Response Description

Information about the reference set that had data added or updated. This returns
information about the reference set but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

Chapter 7. Previous REST API versions 1407

 GET /reference_data/tables DEPRECATED
Retrieve a list of all reference tables.
Table 2865. GET /reference_data/tables resource details
MIME Type
application/json

Table 2866. GET /reference_data/tables request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2867. GET /reference_data/tables response codes

HTTP Response
Code Unique Code Description
200 The reference table list has been retrieved
500 1020 An error occurred while attempting to retrieve all of
the reference tables

Response Description

A list of all of the reference tables. This returns information about the tables but
not the contained data.

Response Sample
[
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {

1408 QRadar API Reference Guide

 "String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}
]

POST /reference_data/tables DEPRECATED

Create a new reference table.
Table 2868. POST /reference_data/tables resource details
MIME Type
application/json

Table 2869. POST /reference_data/tables request parameter details

Parameter Type Optionality Data Type MIME Type Description
name query Required String text/plain Required - The name of
the reference table to
create
element_type query Required String text/plain Required - The default
element type for the
values allowed in the
reference table. This is
used when values are
added or updated in the
reference table who's
inner key was not defined
in the key_name_types
parameter. The allowed
values are: ALN
(alphanumeric), ALNIC
(alphanumeric ignore
case), IP (IP address),
NUM (numeric), PORT
(port number) or DATE.
Note that date values
need to be represented in
milliseconds since the
Unix Epoch January 1st
1970.
outer_key_label query Optional String text/plain Optional - The label to
describe the outer keys
timeout_type query Optional String text/plain Optional - The allowed
values are "FIRST_SEEN",
"LAST_SEEN" and
"UNKNOWN". The
default value is
"UNKNOWN". This
indicates if the
time_to_live interval is
based on when the data
was first seen or last seen.
time_to_live query Optional String text/plain Optional - The time to
live interval, for example:
"1 month" or "5 minutes"
key_name_types query Optional Array<Object> application/json Optional - A JSON
formatted string. This
array creates the inner key
names and corresponding
value types for the table
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by commas.

Chapter 7. Previous REST API versions 1409

 Table 2870. POST /reference_data/tables response codes
HTTP Response
Code Unique Code Description
201 A new reference table was successfully created
409 1004 The reference table could not be created, the name
provided is already in use. Please change the name
and try again.
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to create the
reference table

Response Description

Information about the newly created reference table.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

GET /reference_data/tables/{name} DEPRECATED

Return the reference table identified by name.

Return the reference table that is identified by name. If it is provided, limit

specifies the number of records to return starting at the record that is specified by
offset. If the number is not specified, then the first 20 records are returned.
Table 2871. GET /reference_data/tables/{name} resource details
MIME Type
application/json

Table 2872. GET /reference_data/tables/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
retrieve

1410 QRadar API Reference Guide

Table 2872. GET /reference_data/tables/{name} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2873. GET /reference_data/tables/{name} response codes

HTTP Response
Code Unique Code Description
200 The reference table has been retrieved
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to retrieve the
reference table

Response Description

The reference table identified by the name specified in the request. The portion of
the reference table's data returned is dependent on the limit and offset specified in
the request.

Response Sample
{
"creation_time": 42,
"data": {
"String": {
"String": {
"first_seen": 42,
"last_seen": 42,
"source": "String",
"value": "String"
}
}
},
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",

Chapter 7. Previous REST API versions 1411

 "number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

POST /reference_data/tables/{name} DEPRECATED

Add or update an element in a reference table.

Add or update an element in a reference table. The value to be added must be of

the appropriate type. Either the type that corresponds to the innerKey that is
predefined for the reference table, or the default elementType of the reference table
Table 2874. POST /reference_data/tables/{name} resource details
MIME Type
application/json

Table 2875. POST /reference_data/tables/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
add or update an
element in
outer_key query Required String text/plain Required - The outer
key for the element to
add or update
inner_key query Required String text/plain Required - The inner
key for the element to
add or update
value query Required String text/plain Required - The value to
add or update in the
reference table. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
source query Optional String text/plain Optional - An
indication of where the
data originated. The
default value is
'reference data api'
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

1412 QRadar API Reference Guide

Table 2876. POST /reference_data/tables/{name} response codes
HTTP Response
Code Unique Code Description
200 The reference table has had an element added or
updated
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to add or
update data in the reference table

Response Description

Information about the reference table that had an element added or updated. This
returns information about the reference table but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

DELETE /reference_data/tables/{name} DEPRECATED

Remove a reference table or purge its contents.
Table 2877. DELETE /reference_data/tables/{name} resource details
MIME Type
application/json

Table 2878. DELETE /reference_data/tables/{name} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
remove or purge

Chapter 7. Previous REST API versions 1413

 Table 2878. DELETE /reference_data/tables/{name} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
purge_only query Optional String text/plain Optional - The allowed
values are "false" or
"true". The default
value is false. This
indicates if the
reference table should
have its contents
purged (true), keeping
the reference table
structure. If the value is
"false" or not specified
the reference table will
be removed completely.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2879. DELETE /reference_data/tables/{name} response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Tables deletion or purge request
has been accepted and is in progress
404 1002 The reference table does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove or
purge values from the reference table

Response Description

A status_id to retrieve the Reference Data Tables deletion or purge status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,

1414 QRadar API Reference Guide

 "maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

GET /reference_data/tables/{name}/dependents DEPRECATED

Retrieves the dependents of the Table.
Table 2880. GET /reference_data/tables/{name}/dependents resource details
MIME Type
application/json

Table 2881. GET /reference_data/tables/{name}/dependents request parameter details

MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference map of
sets retrieve dependents
for

Chapter 7. Previous REST API versions 1415

 Table 2881. GET /reference_data/tables/{name}/dependents request parameter
details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2882. GET /reference_data/tables/{name}/dependents response codes

HTTP Response
Code Unique Code Description
202 The Reference Data Tables dependent retrieval
request has been accepted and is in progress
404 1002 The reference map of sets does not exist
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to get the
dependents for the reference map of sets

Response Description

A status_id to retrieve the Reference Data Tables dependent retrieval status with at
/api/system/task_management/task/{status_id}. You can also find the url in the
Location header

Response Sample
{
"current_status": {
"cancel_requested": true,
"cancelled_by": "String",
"child_tasks": [
42
],
"completed": 42,
"created": 42,
"created_by": "String",
"id": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"name": "String",
"progress": 42,
"result_url": "String",
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,

1416 QRadar API Reference Guide

 INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>",
"task_components": [
{
"completed": 42,
"created": 42,
"maximum": 42,
"message": "String",
"modified": 42,
"progress": 42,
"started": 42,
"status": "String <one of: CANCELLED,
CANCELING,
CANCEL_REQUESTED,
COMPLETED,
EXCEPTION,
INITIALIZING,
INTERRUPTED,
PAUSED,
PROCESSING,
QUEUED,
RESUMING>"
}
]
},
"message": "String",
"status_location": "String"
}

DELETE /reference_data/tables/{name}/value/{outer_key}/
{inner_key} DEPRECATED
Remove a value from a reference table.
Table 2883. DELETE /reference_data/tables/{name}/value/{outer_key}/{inner_key} resource
details
MIME Type
application/json

Table 2884. DELETE /reference_data/tables/{name}/value/{outer_key}/{inner_key} request

parameter details
MIME
Parameter Type Optionality Data Type Type Description
name path Required String text/plain Required - The name of
the reference table to
remove a value from
outer_key path Required String text/plain Required - The outer
key of the value to
remove
inner_key path Required String text/plain Required - The inner
key of the value to
remove

Chapter 7. Previous REST API versions 1417

 Table 2884. DELETE /reference_data/tables/{name}/value/{outer_key}/{inner_key} request
parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
value query Required String text/plain Required - The value to
remove from the
reference table. Note:
Date values must be
represented in
milliseconds since the
Unix Epoch January 1st
1970.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2885. DELETE /reference_data/tables/{name}/value/{outer_key}/{inner_key} response

codes
HTTP Response
Code Unique Code Description
200 The reference table had had a value removed
404 1002 The reference table does not exist
404 1003 The record does not exist in the reference table
422 1005 A request parameter is not valid
500 1020 An error occurred while attempting to remove the
reference table value

Response Description

Information about the reference table that had an element removed. This returns
information about table but not the contained data.

Response Sample
{
"creation_time": 42,
"element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>",
"key_label": "String",
"key_name_types": {
"String": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE>"
},
"name": "String",
"number_of_elements": 42,
"time_to_live": "String",
"timeout_type": "String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>"
}

1418 QRadar API Reference Guide

Scanner endpoints
Use the references for REST API V5.1 scanner endpoints.

GET /scanner/profiles DEPRECATED

Retrieves all of the currently created scan profiles.

No parameters are required and the following information should be retrieved for
each scan profile.
v scanProfileId
v scanProfileName
v description
v scanType
v scannerName
Table 2886. GET /scanner/profiles resource details
MIME Type
application/json

There are no parameters for this endpoint.

Table 2887. GET /scanner/profiles response codes
HTTP Response
Code Unique Code Description
200 The list of scan profiles was successfully returned
500 1030 Occurs when an attempt is made to list scan profiles
when certain conditions are not met, or when too
many scan requests have been made

Response Description

The list of scan profiles currently configured in QVM

Response Sample

POST /scanner/profiles/create DEPRECATED

Initiates a request to create a new Scan Profile.

The request takes one parameter - createScanRequest, which is just a POJO. To

create the scan, you will need to build up a JSON object that contains the Scan
Profile name and IP addresses to scan. For example:
{name:New Scan Profile, ips:[10.100.85.135]}
Table 2888. POST /scanner/profiles/create resource details
MIME Type
text/plain

Table 2889. POST /scanner/profiles/create request body details

Parameter Data Type MIME Type Description Sample
scanProfile JSON application/json null null

Chapter 7. Previous REST API versions 1419

 Table 2890. POST /scanner/profiles/create response codes
HTTP Response
Code Unique Code Description
200 The scan has been successfully created
419 9101 Occurs when a parameter is missing or invalid
500 1030 Occurs when an attempt is made to create a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been created successfully or not.

Response Sample
String

POST /scanner/profiles/start DEPRECATED

Initiates a request to start an already created scanProfile.

The request takes one parameter - scanProfileId. To get a list of scanProfileIds, get
a list of the current scan profiles by initiating a 'profiles' request on the scanner
endpoint. The scanProfileId is validated and an appropriate message is returned.
Table 2891. POST /scanner/profiles/start resource details
MIME Type
text/plain

Table 2892. POST /scanner/profiles/start request parameter details

Parameter Type Optionality Data Type MIME Type Description
scanProfileId query Required String text/plain The unique id of the
scan profile we want to
start

Table 2893. POST /scanner/profiles/start response codes

HTTP Response
Code Unique Code Description
200 The scan has been successfully started
403 1000 Occurs if the user does not have permission to start
a scan, or the scan is in progress
500 1030 Occurs when an attempt is made to start a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been started successfully or not.

Response Sample
String

1420 QRadar API Reference Guide

GET /scanner/scanprofiles DEPRECATED
Retrieves all of the currently created scan profiles.

No parameters are required and the following information should be retrieved for
each scan profile.
v scanProfileId
v scanProfileName
v description
v scanType
v scannerName
v schedule
v status
v progress
v endTime
v duration
Table 2894. GET /scanner/scanprofiles resource details
MIME Type
application/json

Table 2895. GET /scanner/scanprofiles request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2896. GET /scanner/scanprofiles response codes

HTTP Response
Code Unique Code Description
200 The list of scan profiles was successfully returned

Chapter 7. Previous REST API versions 1421

 Table 2896. GET /scanner/scanprofiles response codes (continued)
HTTP Response
Code Unique Code Description
500 1030 Occurs when an attempt is made to list scan profiles
when certain conditions are not met, or when too
many scan requests have been made

Response Description

The list of scan profiles currently configured in QVM

Response Sample
[
{
"description": "String",
"duration": {
"days": 42,
"hours": 42,
"minutes": 42,
"months": 42,
"seconds": 42.5,
"type": "String",
"value": "String",
"years": 42
},
"endTime": {
"date": 42,
"day": 42,
"hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezoneOffset": 42,
"year": 42
},
"progress": 42,
"scanProfileId": 42,
"scanProfileName": "String",
"scanType": "String",
"scannerName": "String",
"schedule": "String",
"status": "String"
}
]

POST /scanner/scanprofiles DEPRECATED

Initiates a request to create a new scanProfile.

The request takes one parameter - createScanRequest, which is just a POJO. To

create the scan, you will need to build up a JSON object that contains the Scan
Profile name and hosts to scan. For example:
{name:New Scan Profile, hosts:[10.100.85.135]}
Table 2897. POST /scanner/scanprofiles resource details
MIME Type
text/plain

1422 QRadar API Reference Guide

Table 2898. POST /scanner/scanprofiles request body details
Parameter Data Type MIME Type Description Sample
scanProfile Object application/json null { "description": "String",
"hosts": [ "String" ],
"name": "String" }

Table 2899. POST /scanner/scanprofiles response codes

HTTP Response
Code Unique Code Description
200 The scan has been successfully created
500 1030 Occurs when an attempt is made to create a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been created successfully or not.

Response Sample
String

GET /scanner/scanprofiles/{profileid} DEPRECATED

Retrieves a scan profile for a given Scan Profile ID.

No parameters are required and the following information should be retrieved for
each scan profile.
v scanProfileId
v name
v description
v scanType
v scannerName
v schedule
v status
v progress
v endTime
v duration
Table 2900. GET /scanner/scanprofiles/{profileid} resource details
MIME Type
application/json

Table 2901. GET /scanner/scanprofiles/{profileid} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain The unique id of the
scan profile we need to
retrieve information for

Chapter 7. Previous REST API versions 1423

 Table 2901. GET /scanner/scanprofiles/{profileid} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 2902. GET /scanner/scanprofiles/{profileid} response codes

HTTP Response
Code Unique Code Description
200 The scan profile was successfully returned
500 1030 Occurs when an attempt is made to list a scan
profile when certain conditions are not met, or when
too many scan requests have been made

Response Description

The list of scan profiles currently configured in QVM

Response Sample
[
{
"description": "String",
"duration": {
"days": 42,
"hours": 42,
"minutes": 42,
"months": 42,
"seconds": 42.5,
"type": "String",
"value": "String",
"years": 42
},
"endTime": {
"date": 42,
"day": 42,

1424 QRadar API Reference Guide

 "hours": 42,
"minutes": 42,
"month": 42,
"seconds": 42,
"time": 42,
"timezoneOffset": 42,
"year": 42
},
"progress": 42,
"scanProfileId": 42,
"scanProfileName": "String",
"scanType": "String",
"scannerName": "String",
"schedule": "String",
"status": "String"
}
]

POST /scanner/scanprofiles/{profileid} DEPRECATED

Update a scan profile. The Scan Profile ID is required.

The following information on a scan profile can be updated:

v name
v description
v IP addresses

For example:
{name:Updated Scan Profile, ips:[10.100.85.135]}
Table 2903. POST /scanner/scanprofiles/{profileid} resource details
MIME Type
application/json

Table 2904. POST /scanner/scanprofiles/{profileid} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain The unique id of the
scan profile used to
update

Table 2905. POST /scanner/scanprofiles/{profileid} request body details

Parameter Data Type MIME Type Description Sample
scanProfile JSON application/json null null

Table 2906. POST /scanner/scanprofiles/{profileid} response codes

HTTP Response
Code Unique Code Description
202 The scan profile was successfully updated
500 1030 Occurs when an attempt is made to update a scan
profile when certain conditions are not met, or when
too many scan requests have been made

Chapter 7. Previous REST API versions 1425

 Response Description

A message to indicate whether the scan profile has updated or not.

Response Sample

DELETE /scanner/scanprofiles/{profileid} DEPRECATED

Initiates a request to delete a scanProfile.

The request takes one parameter - the Scan Profile ID.

Table 2907. DELETE /scanner/scanprofiles/{profileid} resource details
MIME Type
text/plain

Table 2908. DELETE /scanner/scanprofiles/{profileid} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain null

Table 2909. DELETE /scanner/scanprofiles/{profileid} response codes

HTTP Response
Code Unique Code Description
204 The scan has been successfully deleted
500 1030 Occurs when an attempt is made to delete a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been deleted successfully or not.

Response Sample
String

POST /scanner/scanprofiles/{profileid}/start DEPRECATED

Initiates a request to start an already created scanProfile.

The request takes one parameter, scanProfileId, and one optional parameter, ips.
To get a list of scanProfileIds, simply get a list of the current scan profiles by
initiating a 'profiles' request on the scanner endpoint. The scanProfileId, is
validated and an appropriate message returned.
Table 2910. POST /scanner/scanprofiles/{profileid}/start resource details
MIME Type
text/plain

1426 QRadar API Reference Guide

 Table 2911. POST /scanner/scanprofiles/{profileid}/start request parameter details
MIME
Parameter Type Optionality Data Type Type Description
profileid path Required String text/plain The unique id of the
scan profile we want to
start

Table 2912. POST /scanner/scanprofiles/{profileid}/start request body details

Parameter Data Type MIME Type Description Sample
ips JSON application/json null null

Table 2913. POST /scanner/scanprofiles/{profileid}/start response codes

HTTP Response
Code Unique Code Description
202 The scan has been successfully started
403 1000 Occurs if the user does not have permission to start
a scan, or the scan is in progress
500 1030 Occurs when an attempt is made to start a scan
when certain conditions are not met, or when too
many scan requests have been made

Response Description

An indicator of whether the scan has been started successfully or not.

Response Sample
String

SIEM endpoints
Use the references for REST API V5.1 SIEM endpoints.

GET /siem/local_destination_addresses DEPRECATED

Retrieve a list offense local destination addresses currently in the system.
Table 2914. GET /siem/local_destination_addresses resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1427

 Table 2915. GET /siem/local_destination_addresses request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2916. GET /siem/local_destination_addresses response codes

HTTP Response
Code Unique Code Description
200 The local destination address list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the local destination
address list was being retrieved.

Response Description

An array of local destination address objects. A local destination address object

contains the following fields:
v id - Number - The ID of the destination address.
v local_destination_ip - String - The IP address.
v magnitude - Number - The magnitude of the destination address.
v network - String - The network of the destination address.
v offense_ids - Array of Numbers - List of offense IDs the destination address is
part of.
v source_address_ids - Array of Numbers - List of source address IDs associated
with the destination address.
v event_flow_count - Number - The number of events and flows that are
associated with the destination address.

1428 QRadar API Reference Guide

v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
[
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_ip": "String",
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_address_ids": [
42
]
}
]

GET /siem/local_destination_addresses/
{local_destination_address_id} DEPRECATED
Retrieve an offense local destination address.
Table 2917. GET /siem/local_destination_addresses/{local_destination_address_id} resource
details
MIME Type
application/json

Table 2918. GET /siem/local_destination_addresses/{local_destination_address_id} request

parameter details
Parameter Type Optionality Data Type MIME Type Description
local_destination_address_id path Required Number text/plain Required - The ID of the
(Integer) local destination address
to retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2919. GET /siem/local_destination_addresses/{local_destination_address_id}

response codes
HTTP Response
Code Unique Code Description
200 The local destination was retrieved.

Chapter 7. Previous REST API versions 1429

 Table 2919. GET /siem/local_destination_addresses/{local_destination_address_id}
response codes (continued)
HTTP Response
Code Unique Code Description
404 1002 No local destination address was found for the
provided local_destination_address_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the local destination
address was being retrieved.

Response Description

A local destination address object. A local destination address object contains the
following fields:
v id - Number - The ID of the destination address.
v local_destination_ip - String - The IP address.
v magnitude - Number - The magnitude of the destination address.
v network - String - The network of the destination address.
v offense_ids - Array of Numbers - List of offense IDs the destination address is
part of.
v source_address_ids - Array of Numbers - List of source address IDs associated
with the destination address.
v event_flow_count - Number - The number of events and flows that are
associated with the destination address.
v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_ip": "String",
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_address_ids": [
42
]
}

1430 QRadar API Reference Guide

GET /siem/offense_closing_reasons DEPRECATED
Retrieve a list of all offense closing reasons.
Table 2920. GET /siem/offense_closing_reasons resource details
MIME Type
application/json

Table 2921. GET /siem/offense_closing_reasons request parameter details

MIME
Parameter Type Optionality Data Type Type Description
include_reserved query Optional Boolean text/plain Optional - If true,
reserved closing
reasons are included in
the response. Defaults
to false. Reserved
closing reasons cannot
be used to close an
offense.
include_deleted query Optional Boolean text/plain Optional - If true,
deleted closing reasons
are included in the
response. Defaults to
false. Deleted closing
reasons cannot be used
to close an offense.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict
the number of elements
that are returned in the
list to a specified
range. The list is
indexed starting at
zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2922. GET /siem/offense_closing_reasons response codes

HTTP Response
Code Unique Code Description
200 The closing reasons list was retrieved.
500 1020 An error occurred while the closing reasons list was
being retrieved.

Chapter 7. Previous REST API versions 1431

 Response Description

An array of ClosingReason objects. A closing reason object contains the following

fields:
v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted
closing reasons cannot be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved.
Reserved closing reasons cannot be used to close an offense.

Response Sample
[
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}
]

POST /siem/offense_closing_reasons DEPRECATED

Create an offense closing reason.
Table 2923. POST /siem/offense_closing_reasons resource details
MIME Type
application/json

Table 2924. POST /siem/offense_closing_reasons request parameter details

MIME
Parameter Type Optionality Data Type Type Description
reason query Required String text/plain Required - The text of
the offense closing
reason must be 5 - 60
characters in length.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2925. POST /siem/offense_closing_reasons response codes

HTTP Response
Code Unique Code Description
201 The closing reason was created.
409 1004 The closing reason already exists.
422 1005 A request parameter is not valid.

1432 QRadar API Reference Guide

Table 2925. POST /siem/offense_closing_reasons response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error occurred while attempting to create the
closing reason.

Response Description

A ClosingReason object. A closing reason object contains the following fields:

v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted
closing reasons cannot be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved.
Reserved closing reasons cannot be used to close an offense.

Response Sample
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}

GET /siem/offense_closing_reasons/{closing_reason_id}
DEPRECATED
Retrieve an offense closing reason.
Table 2926. GET /siem/offense_closing_reasons/{closing_reason_id} resource details
MIME Type
application/json

Table 2927. GET /siem/offense_closing_reasons/{closing_reason_id} request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
closing_reason_id path Required Number text/plain Required - The closing
(Integer) reason ID.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2928. GET /siem/offense_closing_reasons/{closing_reason_id} response codes

HTTP Response
Code Unique Code Description
200 The closing reason was retrieved.

Chapter 7. Previous REST API versions 1433

 Table 2928. GET /siem/offense_closing_reasons/{closing_reason_id} response
codes (continued)
HTTP Response
Code Unique Code Description
404 1002 No closing reason was found for the provided
closing_reason_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
closing reason.

Response Description

A ClosingReason object. A closing reason object contains the following fields:

v id - Number - The ID of the closing reason.
v text - String - The text of the closing reason.
v is_deleted - Boolean - Determines whether the closing reason is deleted. Deleted
closing reasons cannot be used to close an offense.
v is_reserved - Boolean - Determines whether the closing reason is reserved.
Reserved closing reasons cannot be used to close an offense.

Response Sample
{
"id": 42,
"is_deleted": true,
"is_reserved": true,
"text": "String"
}

GET /siem/offenses DEPRECATED

Retrieve a list of offenses currently in the system.
Table 2929. GET /siem/offenses resource details
MIME Type
application/json

Table 2930. GET /siem/offenses request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

1434 QRadar API Reference Guide

Table 2930. GET /siem/offenses request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2931. GET /siem/offenses response codes

HTTP Response
Code Unique Code Description
200 The offense list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the offense list was being
retrieved.

Response Description

An array of Offense objects. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense. Filtering is not supported
on this field.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the
offense.
v category_count - Number - The number of event categories that are associated
with the offense.
v policy_category_count - Number - The number of policy event categories that
are associated with the offense.
v security_category_count - Number - The number of security event categories
that are associated with the offense.
v close_time - Number - The number of milliseconds since epoch when the
offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason
the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
Chapter 7. Previous REST API versions 1435
 v destination_networks - Array of strings - The destination networks that are
associated with the offense.
v source_network - String - The source network that is associated with the offense.
Filtering is not supported on this field.
v device_count - Number - The number of devices that are associated with the
offense.
v event_count - Number - The number of events that are associated with the
offense.
v flow_count - Number - The number of flows that are associated with the
offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when
the offense was last updated.
v local_destination_count - Number - The number of local destinations that are
associated with the offense.
v offense_source - String - The source of the offense. Filtering is not supported on
this field.
v offense_type - Number - A number that represents the offense type. See the
Offense Type Codes table for the code to offense type mapping.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that
are associated wit the offense.
v source_count - Number - The number of sources that are associated with the
offense.
v start_time - Number - The number of milliseconds since epoch when the offense
was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or
"CLOSED". The following operators are not supported when you filter on this
field: "<", ">", "<=", ">=", "BETWEEN".
v username_count - The number of usernames that are associated with the
offense.
v source_address_ids - Array of numbers -The source address IDs that are
associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination
address IDs that are associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is
associated with a single domain.
Table 2932. Offense Type Codes
Code Offense Type
0 Source IP
1 Destination IP
2 Event Name
3 Username
4 Source MAC Address
5 Destination MAC Address
6 Log Source

1436 QRadar API Reference Guide

Table 2932. Offense Type Codes (continued)
Code Offense Type
7 Hostname
8 Source Port
9 Destination Port
10 Source IPv6
11 Destination IPv6
12 Source ASN
13 Destination ASN
14 Rule
15 App Id
18 Scheduled Search

Response Sample
[{"credibility": 42,
"source_address_ids": [42],
"remote_destination_count": 42,
"local_destination_address_ids": [42],
"assigned_to": "String",
"local_destination_count": 42,
"source_count": 42,
"start_time": 42,
"id": 42,
"destination_networks": ["String"],
"inactive": true,
"protected": true,
"policy_category_count": 42,
"description": "String",
"category_count": 42,
"domain_id": 42,
"relevance": 42,
"device_count": 42,
"security_category_count": 42,
"flow_count": 42, "event_count": 42,
"offense_source": "String",
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"magnitude": 42,
"severity": 42,
"username_count": 42,
"closing_user": "String",
"follow_up": true,
"closing_reason_id": 42,
"close_time": 42,
"source_network": "String",
"last_updated_time": 42,
"categories": ["String"],
"offense_type": 42}]

GET /siem/offenses/{offense_id} DEPRECATED

Retrieve an offense structure that describes properties of an offense
Table 2933. GET /siem/offenses/{offense_id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1437

 Table 2934. GET /siem/offenses/{offense_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2935. GET /siem/offenses/{offense_id} response codes

HTTP Response
Code Unique Code Description
200 The offense was retrieved.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the offense was being
retrieved.

Response Description

An Offense object. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the
offense.
v category_count - Number - The number of event categories that are associated
with the offense.
v policy_category_count - Number - The number of policy event categories that
are associated with the offense.
v security_category_count - Number - The number of security event categories
that are associated with the offense.
v close_time - Number - The number of milliseconds since epoch when the
offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason
the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.

1438 QRadar API Reference Guide

v destination_networks - Array of strings - The destination networks that are
associated with the offense.
v source_network - String - The source network that is associated with the offense.
v device_count - Number - The number of devices that are associated with the
offense.
v event_count - Number - The number of events that are associated with the
offense.
v flow_count - Number - The number of flows that are associated with the
offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when
the offense was last updated.
v local_destination_count - Number - The number of local destinations that are
associated with the offense.
v offense_source - String - The source of the offense.
v offense_type - Number - A number that represents the offense type. See the
Offense Type Codes table for the code to offense type mapping.
v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that
are associated wit the offense.
v source_count - Number - The number of sources that are associated with the
offense.
v start_time - Number - The number of milliseconds since epoch when the offense
was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or
"CLOSED".
v username_count - The number of usernames that are associated with the
offense.
v source_address_ids - Array of numbers -The source address IDs that are
associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination
address IDs that are associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is
associated with a single domain.
Table 2936. Offense Type Codes
Code Offense Type
0 Source IP
1 Destination IP
2 Event Name
3 Username
4 Source MAC Address
5 Destination MAC Address
6 Log Source
7 Hostname
8 Source Port
9 Destination Port

Chapter 7. Previous REST API versions 1439

 Table 2936. Offense Type Codes (continued)
Code Offense Type
10 Source IPv6
11 Destination IPv6
12 Source ASN
13 Destination ASN
14 Rule
15 App Id
18 Scheduled Search

Response Sample
{
"assigned_to": "String",
"categories": [
"String"
],
"category_count": 42,
"close_time": 42,
"closing_reason_id": 42,
"closing_user": "String",
"credibility": 42,
"description": "String",
"destination_networks": [
"String"
],
"device_count": 42,
"domain_id": 42,
"event_count": 42,
"flow_count": 42,
"follow_up": true,
"id": 42,
"inactive": true,
"last_updated_time": 42,
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"magnitude": 42,
"offense_source": "String",
"offense_type": 42,
"policy_category_count": 42,
"protected": true,
"relevance": 42,
"remote_destination_count": 42,
"security_category_count": 42,
"severity": 42,
"source_address_ids": [
42
],
"source_count": 42,
"source_network": "String",
"start_time": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"username_count": 42
}

1440 QRadar API Reference Guide

POST /siem/offenses/{offense_id} DEPRECATED
Update an offense.
Table 2937. POST /siem/offenses/{offense_id} resource details
MIME Type
application/json

Table 2938. POST /siem/offenses/{offense_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The ID of
(Integer) the offense to update.
protected query Optional Boolean text/plain Optional - Set to true
to protect the offense.
follow_up query Optional Boolean text/plain Optional - Set to true
to set the follow up
flag on the offense.
status query Optional String text/plain Optional - The new
status for the offense.
Set to one of: OPEN,
HIDDEN, CLOSED.
When the status of an
offense is being set to
CLOSED, a valid
closing_reason_id must
be provided. To hide
an offense, use the
HIDDEN status. To
show a previously
hidden offense, use the
OPEN status.
closing_reason_id query Optional Number text/plain Optional - The ID of a
(Integer) closing reason. You
must provide a valid
closing_reason_id
when you close an
offense.
assigned_to query Optional String text/plain Optional - A user to
assign the offense to.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you
would like to get back
in the response. Fields
that are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2939. POST /siem/offenses/{offense_id} response codes

HTTP Response
Code Unique Code Description
200 The offense was updated.
403 1009 User does not have the required capability to assign an
offense.
404 1002 No offense was found for the provided offense_id.

Chapter 7. Previous REST API versions 1441

 Table 2939. POST /siem/offenses/{offense_id} response codes (continued)
HTTP Response
Code Unique Code Description
409 1008 Request cannot be completed due to the state of the
offense.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the offense was being updated.

Response Description

An updated Offense object. An Offense object contains the following fields:

v id - Number - The ID of the offense.
v description - String - The description of the offense.
v assigned_to - String - The user the offense is assigned to.
v categories - Array of strings - Event categories that are associated with the
offense.
v category_count - Number - The number of event categories that are associated
with the offense.
v policy_category_count - Number - The number of policy event categories that
are associated with the offense.
v security_category_count - Number - The number of security event categories
that are associated with the offense.
v close_time - Number - The number of milliseconds since epoch when the
offense was closed.
v closing_user - String - The user that closed the offense.
v closing_reason_id - Number - The ID of the offense closing reason. The reason
the offense was closed.
v credibility - Number - The credibility of the offense.
v relevance - Number - The relevance of the offense.
v severity - Number - The severity of the offense.
v magnitude - Number - The magnitude of the offense.
v destination_networks - Array of strings - The destination networks that are
associated with the offense.
v source_network - String - The source network that is associated with the offense.
v device_count - Number - The number of devices that are associated with the
offense.
v event_count - Number - The number of events that are associated with the
offense.
v flow_count - Number - The number of flows that are associated with the
offense.
v inactive - Boolean - True if the offense is inactive.
v last_updated_time - Number - The number of milliseconds since epoch when
the offense was last updated.
v local_destination_count - Number - The number of local destinations that are
associated with the offense.
v offense_source - String - The source of the offense.
v offense_type - Number - A number that represents the offense type. See the
Offense Type Codes table for the code to offense type mapping.

1442 QRadar API Reference Guide

v protected - Boolean - True if the offense is protected.
v follow_up - Boolean - True if the offense is marked for follow up.
v remote_destination_count - Number - The number of remote destinations that
are associated wit the offense.
v source_count - Number - The number of sources that are associated with the
offense.
v start_time - Number - The number of milliseconds since epoch when the offense
was started.
v status - String - The status of the offense. One of "OPEN", "HIDDEN", or
"CLOSED".
v username_count - The number of usernames that are associated with the
offense.
v source_address_ids - Array of numbers -The source address IDs that are
associated with the offense.
v local_destination_address_ids - Array of numbers - The local destination
address IDs that are associated with the offense.
v domain_id - Number - Optional. ID of associated domain if the offense is
associated with a single domain.
Table 2940. Offense Type Codes
Code Offense Type
0 Source IP
1 Destination IP
2 Event Name
3 Username
4 Source MAC Address
5 Destination MAC Address
6 Log Source
7 Hostname
8 Source Port
9 Destination Port
10 Source IPv6
11 Destination IPv6
12 Source ASN
13 Destination ASN
14 Rule
15 App Id
18 Scheduled Search

Response Sample
{
"assigned_to": "String",
"categories": [
"String"
],
"category_count": 42,
"close_time": 42,
"closing_reason_id": 42,

Chapter 7. Previous REST API versions 1443

 "closing_user": "String",
"credibility": 42,
"description": "String",
"destination_networks": [
"String"
],
"device_count": 42,
"domain_id": 42,
"event_count": 42,
"flow_count": 42,
"follow_up": true,
"id": 42,
"inactive": true,
"last_updated_time": 42,
"local_destination_address_ids": [
42
],
"local_destination_count": 42,
"magnitude": 42,
"offense_source": "String",
"offense_type": 42,
"policy_category_count": 42,
"protected": true,
"relevance": 42,
"remote_destination_count": 42,
"security_category_count": 42,
"severity": 42,
"source_address_ids": [
42
],
"source_count": 42,
"source_network": "String",
"start_time": 42,
"status": "String <one of: OPEN, HIDDEN, CLOSED>",
"username_count": 42
}

GET /siem/offenses/{offense_id}/notes DEPRECATED

Retrieve a list of notes for an offense.
Table 2941. GET /siem/offenses/{offense_id}/notes resource details
MIME Type
application/json

Table 2942. GET /siem/offenses/{offense_id}/notes request parameter details

MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID to retrieve the notes
for.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

1444 QRadar API Reference Guide

Table 2942. GET /siem/offenses/{offense_id}/notes request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2943. GET /siem/offenses/{offense_id}/notes response codes

HTTP Response
Code Unique Code Description
200 The note list was retrieved.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the note list was being
retrieved.

Response Description

An array of Note objects. A Note object contains the following fields:

v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note
was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
[
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}
]

POST /siem/offenses/{offense_id}/notes DEPRECATED

Create a note on an offense.
Table 2944. POST /siem/offenses/{offense_id}/notes resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1445

 Table 2945. POST /siem/offenses/{offense_id}/notes request parameter details
MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID to add the note to.
note_text query Required String text/plain Required - The note
text.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2946. POST /siem/offenses/{offense_id}/notes response codes

HTTP Response
Code Unique Code Description
201 The note was created.
404 1002 No offense was found for the provided offense_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to create the
note.

Response Description

The Note object that was created. A Note object contains the following fields:
v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note
was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}

GET /siem/offenses/{offense_id}/notes/{note_id} DEPRECATED

Retrieve a note for an offense.
Table 2947. GET /siem/offenses/{offense_id}/notes/{note_id} resource details
MIME Type
application/json

1446 QRadar API Reference Guide

Table 2948. GET /siem/offenses/{offense_id}/notes/{note_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
offense_id path Required Number text/plain Required - The offense
(Integer) ID to retrieve the note
from.
note_id path Required Number text/plain Required - The note ID.
(Integer)
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2949. GET /siem/offenses/{offense_id}/notes/{note_id} response codes

HTTP Response
Code Unique Code Description
200 The note was retrieved.
404 1002 No offense was found for the provided offense_id.
404 1003 No note was found for the provided note_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
note.

Response Description

The Note object for the note ID. A Note object contains the following fields:
v id - Number - The ID of the note.
v create_time - Number - The number of milliseconds since epoch when the note
was created.
v username - String - The user or authorized service that created the note.
v note_text - String - The note text.

Response Sample
{
"create_time": 42,
"id": 42,
"note_text": "String",
"username": "String"
}

Chapter 7. Previous REST API versions 1447

 GET /siem/source_addresses DEPRECATED
Retrieve a list offense source addresses currently in the system.
Table 2950. GET /siem/source_addresses resource details
MIME Type
application/json

Table 2951. GET /siem/source_addresses request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2952. GET /siem/source_addresses response codes

HTTP Response
Code Unique Code Description
200 The source address list was retrieved.
422 1005 A request parameter is not valid.
422 1010 The filter parameter is not valid.
500 1020 An error occurred while the source address list was
being retrieved.

Response Description

An array of source address objects. A source address object contains the following
fields:
v id - Number - The ID of the source.
v source_ip - String - The IP address.
v magnitude - Number - The magnitude of the source address.
v network - String - The network of the source address.

1448 QRadar API Reference Guide

v offense_ids - Array of Numbers - List of offense IDs the source is part of.
v local_destination_address_ids - Array of Numbers - List of local destination
address IDs associated with the source address.
v event_flow_count - Number - The number of events and flows that are
associated with the source.
v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
[
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_address_ids": [
42
],
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_ip": "String"
}
]

GET /siem/source_addresses/{source_address_id} DEPRECATED

Retrieve an offense source address.
Table 2953. GET /siem/source_addresses/{source_address_id} resource details
MIME Type
application/json

Table 2954. GET /siem/source_addresses/{source_address_id} request parameter details

Parameter Type Optionality Data Type MIME Type Description
source_address_id path Required Number text/plain Required - The ID of the
(Integer) source address to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Chapter 7. Previous REST API versions 1449

 Table 2955. GET /siem/source_addresses/{source_address_id} response codes
HTTP Response
Code Unique Code Description
200 The source address was retrieved.
404 1002 No source address was found for the provided
source_address_id.
422 1005 A request parameter is not valid.
500 1020 An error occurred while the source address was
being retrieved.

Response Description

A source address object. A source address object contains the following fields:
v id - Number - The ID of the source.
v source_ip - String - The IP address.
v magnitude - Number - The magnitude of the source address.
v network - String - The network of the source address.
v offense_ids - Array of Numbers - List of offense IDs the source is part of.
v local_destination_address_ids - Array of Numbers - List of local destination
address IDs associated with the source address.
v event_flow_count - Number - The number of events and flows that are
associated with the source.
v first_event_flow_seen - Number - The number of milliseconds since epoch
when the first event or flow was seen.
v last_event_flow_seen - Number - The number of milliseconds since epoch when
the last event or flow was seen.
v domain_id - Number - The ID of associated domain.

Response Sample
{
"domain_id": 42,
"event_flow_count": 42,
"first_event_flow_seen": 42,
"id": 42,
"last_event_flow_seen": 42,
"local_destination_address_ids": [
42
],
"magnitude": 42,
"network": "String",
"offense_ids": [
42
],
"source_ip": "String"
}

System endpoints
Use the references for REST API V5 system endpoints.

1450 QRadar API Reference Guide

GET /system/servers DEPRECATED
Retrieve a list of all server hosts in the deployment.
Table 2956. GET /system/servers resource details
MIME Type
application/json

Table 2957. GET /system/servers request parameter details

MIME
Parameter Type Optionality Data Type Type Description
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2958. GET /system/servers response codes

HTTP Response
Code Unique Code Description
200 The requested list of server records has been
successfully retrieved.
500 1020 An error has occurred while trying to retrieve the
requested servers.

Response Description

A list of the servers. A server record contains the following fields:

v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Chapter 7. Previous REST API versions 1451

 Response Sample
[
{
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}
]

GET /system/servers/{server_id} DEPRECATED

Retrieve a server host based on the supplied server ID.
Table 2959. GET /system/servers/{server_id} resource details
MIME Type
application/json

Table 2960. GET /system/servers/{server_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2961. GET /system/servers/{server_id} response codes

HTTP Response
Code Unique Code Description
200 The requested server record has been retrieved.
404 1002 The requested server record with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the
requested server host with the given Id.

Response Description

A server record containing the following fields:

v email_server_address - String - email server address
v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server

1452 QRadar API Reference Guide

v status - String - The status of this server

Response Sample
{
"email_server_address": "String",
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}

POST /system/servers/{server_id} DEPRECATED

Updates an existing server.
Table 2962. POST /system/servers/{server_id} resource details
MIME Type
application/json

Table 2963. POST /system/servers/{server_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.

Table 2964. POST /system/servers/{server_id} request body details

Parameter Data Type MIME Type Description Sample
details Object application/json Required - A server {
details record "email_server_address":
containing the "String" }
following field:

email_server_address -
String - email server
address. Must be a
valid server address
that the server can
connect to through port
25.

Table 2965. POST /system/servers/{server_id} response codes

HTTP Response
Code Unique Code Description
200 The server record has been updated.
404 1002 The requested server record with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
422 1006 Cannot connect to the mail server address on port
25.
500 1020 An error has occurred while trying to retrieve the
requested server host with the given Id.

Chapter 7. Previous REST API versions 1453

 Response Description

The updated server record containing the following fields:

v email_server_address - String - email server address.
v hostname - String - hostname
v managed_host_id - Number - Id of the managed host the server host belongs to
v private_ip - String - The private ip of this server
v status - String - The status of this server

Response Sample
{
"email_server_address": "String",
"hostname": "String",
"managed_host_id": 42,
"private_ip": "String",
"server_id": 42,
"status": "String"
}

GET /system/servers/{server_id}/firewall_rules DEPRECATED

Retrieve a list of access control firewall rules based on the supplied server ID.
Table 2966. GET /system/servers/{server_id}/firewall_rules resource details
MIME Type
application/json

Table 2967. GET /system/servers/{server_id}/firewall_rules request parameter details

MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

1454 QRadar API Reference Guide

Table 2968. GET /system/servers/{server_id}/firewall_rules response codes
HTTP Response
Code Unique Code Description
200 The rules records have been retrieved.
404 1002 The requested server with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the
requested access control firewall rules on the server
with the given Id.

Response Description

A list of the rules. Each rule record contains the following fields:
v is_any_source_ip - Boolean - Whether any source IP is accepted
v port_range - String - A port range in the format of start-end
v port_type - String - one of: ANY, SINGLE, RANGE
v protocol - String - one of: ANY, TCP, UDP
v single_port - String - A single port
v source_ip - String - A specific IP address

Response Sample
[
{
"is_any_source_ip": true,
"port_range": "String",
"port_type": "String <one of: ANY, SINGLE, RANGE>",
"protocol": "String <one of: ANY, TCP, UDP>",
"single_port": "String",
"source_ip": "String"
}
]

PUT /system/servers/{server_id}/firewall_rules DEPRECATED

Set the access control firewall rules based on the supplied server ID.
Table 2969. PUT /system/servers/{server_id}/firewall_rules resource details
MIME Type
application/json

Table 2970. PUT /system/servers/{server_id}/firewall_rules request parameter details

MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.

Chapter 7. Previous REST API versions 1455

 Table 2971. PUT /system/servers/{server_id}/firewall_rules request body details
Parameter Data Type MIME Type Description Sample
rules Array<Object> application/json Required - A list of new [ { "is_any_source_ip":
rules in a JSON string. true, "port_range":
Each rule record "String", "port_type":
contains the following "String <one of: ANY,
field: SINGLE, RANGE>",
v is_any_source_ip - "protocol": "String <one
Boolean - Whether of: ANY, TCP, UDP>",
"single_port": "String",
any source IP is
"source_ip": "String" } ]
accepted
v port_range - String -
A port range in the
format of start-end
v port_type - String -
one of: ANY,
SINGLE, RANGE
v protocol - String -
one of: ANY, TCP,
UDP
v single_port - String -
A single port
v source_ip - String - A
specific IP address.

Table 2972. PUT /system/servers/{server_id}/firewall_rules response codes

HTTP Response
Code Unique Code Description
200 The rules have been updated.
404 1002 The requested server with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to set the access
control firewall rules on the server with the given Id.

Response Description

A list of the rules in a JSON string. Each rule contains the following fields:
v is_any_source_ip - Boolean - Whether any source IP is accepted
v port_range - String - A port range in the format of start-end
v port_type - String - one of: ANY, SINGLE, RANGE
v protocol - String - one of: ANY, TCP, UDP
v single_port - String - A single port
v source_ip - String - A specific IP address

Response Sample
[
{
"is_any_source_ip": true,
"port_range": "String",
"port_type": "String <one of: ANY, SINGLE, RANGE>",
"protocol": "String <one of: ANY, TCP, UDP>",
"single_port": "String",
"source_ip": "String"
}
]

1456 QRadar API Reference Guide

GET /system/servers/{server_id}/network_interfaces/ethernet
DEPRECATED
Retrieve a list of the ethernet network interfaces based on the supplied server ID.
Table 2973. GET /system/servers/{server_id}/network_interfaces/ethernet resource details
MIME Type
application/json

Table 2974. GET /system/servers/{server_id}/network_interfaces/ethernet request parameter

details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2975. GET /system/servers/{server_id}/network_interfaces/ethernet response codes

HTTP Response
Code Unique Code Description
200 A list of the ethernet network interfaces have been
retrieved.
404 1002 The requested server with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the
ethernet interfaces on the server with the given Id.

Chapter 7. Previous REST API versions 1457

 Response Description

A list of the ethernet network interfaces. Each ethernet network interface contains
the following fields:
v device_name - String - The name of the network interface
v desc - String - The description of the network interface
v role - String - The role of the network interface. one of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled
v ipversion - String - The version of the ip address configured on the network
interface. one of: ipv4, ipv6
v ip - String - The ip configured on the network interface
v mask - String - The netmask configured on the network interface
v gateway - String - The gateway configured on the network interface
v is_auto_ip - Boolean - Is the ip auto configured
v is_cable_linked - Boolean - Is the network interface cable linked.
v is_moving_config_with_active_ha - Boolean - Will apply the same settings to a
new active HA server during failover.
v hacrossover_params - String - A map of key-value pairs of HA crossover
parameters if the network interface is used for HA crossover.

Response Sample
[
{
"desc": "String",
"device_name": "String",
"gateway": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4, ipv6>",
"is_auto_ip": true,
"is_cable_linked": true,
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
}
]

POST /system/servers/{server_id}/network_interfaces/ethernet/
{device_name} DEPRECATED
Update an ethernet network interface based on the supplied server ID and device
name.
Table 2976. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}
resource details
MIME Type
application/json

1458 QRadar API Reference Guide

Table 2977. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}
request parameter details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.
device_name path Required String text/plain Required - The name of an
existing ethernet network
interface. The interface
cannot be the management
interface, HA crossover
interface or a slave of a
bonded interface.

Table 2978. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}

request body details
Parameter Data Type MIME Type Description Sample
details Object application/json Required - An ethernet network { "gateway": "String", "ip": "String",
interface record containing the "ipversion": "String <one of: ipv4,
following fields: ipv6>",
"is_moving_config_with_active_ha":
role - String - The role of the network true, "mask": "String", "role": "String
interface. Must be one of: regular, <one of: regular, management,
monitor, disabled hacrossover, hacrossover_disabled,
monitor, disabled, slave,
slave_disabled>" }
ipversion - String - The version of the
ip address configured on the network
interface. one of: ipv4, ipv6

ip - String - The ip configured on the

network interface. Required when
ipversion is ipv4 or (ipversion is ipv6
and is_auto_ip is false). The subnet
computed from the ip and the mask
must not be the same subnet
configured on the management
interface.

mask - String - The netmask

configured on the network interface.
Required when ipversion is ipv4. The
subnet computed from the ip and the
mask must not be the same subnet
configured on the management
interface.

gateway - String - The gateway

configured on the network interface.
Optional when ipversion is ipv4.
Empty value means the network
interface will use the default gateway.
Does not need in ipv6

is_auto_ip - Boolean - Is the ip auto

configured. Required

is_moving_config_with_active_ha -
Boolean - Will apply the same settings
to a new active HA server during
failover. Can be true only when the
server host is an active HA server
host

Table 2979. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}

response codes
HTTP Response
Code Unique Code Description
200 The network interface has been updated.
404 1002 The requested server with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.

Chapter 7. Previous REST API versions 1459

 Table 2979. POST /system/servers/{server_id}/network_interfaces/ethernet/{device_name}
response codes (continued)
HTTP Response
Code Unique Code Description
500 1020 An error has occurred while trying to update the
specified ethernet interfaces on the server with the
given Id.

Response Description

The updated ethernet network interface containing the following fields:

v device_name - String - The name of the network interface
v role - String - The role of the network interface. one of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled
v ipversion - String - The version of the ip address configured on the network
interface. one of: ipv4, ipv6
v ip - String - The ip configured on the network interface
v mask - String - The netmask configured on the network interface
v gateway - String - The gateway configured on the network interface
v is_auto_ip - Boolean - Is the ip auto configured
v is_moving_config_with_active_ha - Boolean - Will apply the same settings to a
new active HA server during failover.

Response Sample
{
"desc": "String",
"device_name": "String",
"gateway": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4, ipv6>",
"is_auto_ip": true,
"is_cable_linked": true,
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
}

GET /system/servers/{server_id}/network_interfaces/bonded
DEPRECATED
Retrieve a list of the bonded network interfaces based on the supplied server ID.
Table 2980. GET /system/servers/{server_id}/network_interfaces/bonded resource details
MIME Type
application/json

1460 QRadar API Reference Guide

Table 2981. GET /system/servers/{server_id}/network_interfaces/bonded request parameter
details
MIME
Parameter Type Optionality Data Type Type Description
server_id path Required Number text/plain Required - The id of
(Integer) the server.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2982. GET /system/servers/{server_id}/network_interfaces/bonded response codes

HTTP Response
Code Unique Code Description
200 A list of the bonded network interfaces have been
retrieved.
404 1002 The requested server with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to retrieve the
bonded interfaces on the server with the given Id.

Response Description

A list of the bonded network interfaces. Each record contains the following fields:
v device_name - String - The name of the network interface
v desc - String - The description of the network interface
v role - String - The role of the network interface. one of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled
v ipversion - String - The verson of the ip address configured on the network
interface. one of: ipv4, ipv6
v ip - String - The ip configured on the network interface

Chapter 7. Previous REST API versions 1461

 v mask - String - The netmask configured on the network interface
v gateway - String - The gateway configured on the network interface
v is_auto_ip - Boolean - Is the ip auto configured
v is_cable_linked - Boolean - Is the network interface cable linked.
v is_moving_config_with_active_ha - Boolean - Will apply the same settings to a
new active HA server during failover.
v hacrossover_params - String - A map of key-value pairs of HA crossover
parameters if the network interface is used for HA crossover.
v bonding_opts - String - The bonding options configured on the bonded network
interface
v slaves - List - The slaves of the bonded network interface. Each slave record
contains the follow fields:
device_name - String - The name of the slave interface
desc - String - The description of the slave interface
role - String - The role of the slave interface. one of: slave, slave_disabled
is_cable_linked - Boolean - Is the slave interface cable linked.

Response Sample
[
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"gateway": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4, ipv6>",
"is_auto_ip": true,
"is_cable_linked": true,
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{
"desc": "String",
"device_name": "String",
"is_cable_linked": true,
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}
]

1462 QRadar API Reference Guide

POST /system/servers/{server_id}/network_interfaces/bonded/
{device_name} DEPRECATED
Update an existing bonded network interface.
Table 2983. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}
resource details
MIME Type
application/json

Table 2984. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}

request parameter details
Parameter Type Optionality Data Type MIME Type Description
server_id path Required Number text/plain Required - The id of the
(Integer) server.
device_name path Required String text/plain Required - The name of
an existing bonded
network interface. The
interface cannot be the
management interface or
HA crossover interface

Table 2985. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}

request body details
Parameter Data Type MIME Type Description Sample
details Object application/json Required - The details of the bonded { "bonding_opts": "String", "gateway":
network interface containing the "String", "ip": "String", "ipversion":
following fields: "String <one of: ipv4, ipv6>",
"is_moving_config_with_active_ha":
role - String - The role of the network true, "mask": "String", "role": "String
interface. Must be one of: regular, <one of: regular, management,
monitor, disabled hacrossover, hacrossover_disabled,
monitor, disabled, slave,
slave_disabled>", "slaves": [ {
ipversion - String - The verson of the
"device_name": "String", "role": "String
ip address configured on the network
<one of: regular, management,
interface. one of: ipv4, ipv6
hacrossover, hacrossover_disabled,
monitor, disabled, slave,
ip - String - The ip configured on the slave_disabled>" } ] }
network interface. Required when
ipversion is ipv4 or (ipversion is ipv6
and is_auto_ip is false). The subnet
computed from the ip and the mask
must not be the same subnet
configured on the management
interface.

mask - String - The netmask

configured on the network interface.
Required when ipversion is ipv4. The
subnet computed from the ip and the
mask must not be the same subnet
configured on the management
interface.

gateway - String - The gateway

configured on the network interface.
Optional when ipversion is ipv4.
Empty value means the network
interface will use the default gateway.
Does not need in ipv6

is_auto_ip - Boolean - Is the ip auto

configured. Required

is_moving_config_with_active_ha -
Boolean - Will apply the same settings
to a new active HA server during
failover. Can be true only when the
server host is an active HA server
host

bonding_opts - String - The bonding

options configured on the bonded
network interface

Chapter 7. Previous REST API versions 1463

 Table 2986. POST /system/servers/{server_id}/network_interfaces/bonded/{device_name}
response codes
HTTP Response
Code Unique Code Description
200 The network interface has been updated.
404 1002 The requested server with the given server_id
cannot be found.
422 1005 One or more parameters are invalid in request.
500 1020 An error has occurred while trying to update the
specified bonded interfaces on the server with the
given Id.

Response Description

The updated bonded network interface containing the following fields:

v device_name - String - The name of the network interface
v role - String - The role of the network interface. one of: regular, management,
hacrossover, hacrossover_disabled, monitor, disabled
v ipversion - String - The verson of the ip address configured on the network
interface. one of: ipv4, ipv6
v ip - String - The ip configured on the network interface
v mask - String - The netmask configured on the network interface
v gateway - String - The gateway configured on the network interface
v is_auto_ip - Boolean - Is the ip auto configured
v is_moving_config_with_active_ha - Boolean - Will apply the same settings to a
new active HA server during failover.
v bonding_opts - String - The bonding options configured on the bonded network
interface

Response Sample
{
"bonding_opts": "String",
"desc": "String",
"device_name": "String",
"gateway": "String",
"hacrossover_params": {
"String": "String"
},
"ip": "String",
"ipversion": "String <one of: ipv4, ipv6>",
"is_auto_ip": true,
"is_cable_linked": true,
"is_moving_config_with_active_ha": true,
"mask": "String",
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>",
"slaves": [
{

1464 QRadar API Reference Guide

 "desc": "String",
"device_name": "String",
"is_cable_linked": true,
"role": "String <one of: regular,
management,
hacrossover,
hacrossover_disabled,
monitor,
disabled,
slave,
slave_disabled>"
}
]
}

REST API V5.0 References

Each API reference provides information about the parameters, mime type,
stability, and responses for each endpoint.

Analytics endpoints
Use the references for REST API V5 analytics endpoints.

GET /analytics/custom_actions/actions DEPRECATED

Retrieves a list of available custom actions.
Table 2987. GET /analytics/custom_actions/actions resource details
MIME Type
application/json

Table 2988. GET /analytics/custom_actions/actions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Chapter 7. Previous REST API versions 1465

 Table 2989. GET /analytics/custom_actions/actions response codes
HTTP Response
Code Unique Code Description
200 The requested list of custom actions have been
successfully retrieved.
500 1020 An internal server error occurred while retrieving
custom actions.

Response Description

Array of available custom actions which in turn contain the following fields:
v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
[
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}
]

POST /analytics/custom_actions/actions DEPRECATED

Creates a new custom action with the supplied fields.

The custom action must contain the following fields:

v name - Required - String - Unique name of the custom action within the QRadar
deployment.

1466 QRadar API Reference Guide

v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter
used by the custom action.
v script - Required - Number - Unique ID of the custom action script used by the
custom action.
v parameters - Required - Array - Array of custom action parameters contained
within the custom action. Each Custom action parameter must have the
following fields:
name - Required - String - Name of the custom action parameter. Unique in
the context of the parent custom action.
parameter_type - Required - String - Custom action parameter type. Can be
either fixed or dynamic.
encrypted - Required - Boolean - Designates whether the custom action
parameter value field is stored in an encrypted state.True if encrypted, false
otherwise.
value - Required - String - Value of the custom action parameter. Custom
action parameters with parameter_type fixed can have any value. Custom
action parameters with parameter_type dynamic must have values
corresponding to column names in an Ariel database, for example sourceip.
Ariel database column names are available through the /api/ariel/databases/
{database_name} endpoint.
Table 2990. POST /analytics/custom_actions/actions resource details
MIME Type
application/json

Table 2991. POST /analytics/custom_actions/actions request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 2992. POST /analytics/custom_actions/actions request body details

Parameter Data Type MIME Type Description Sample
custom_action Object application/json Custom action JSON { "description":
object containing the "String", "interpreter":
supplied fields (see 42, "name": "String",
above for more "parameters": [ {
details). "encrypted": true,
"name": "String",
"parameter_type":
"String", "value":
"String" } ], "script": 42
}

Chapter 7. Previous REST API versions 1467

 Table 2993. POST /analytics/custom_actions/actions response codes
HTTP Response
Code Unique Code Description
201 A new custom action has been successfully created.
422 1005 One or more parameters are invalid in request.
500 1020 An internal server error occurred while posting
custom action.

Response Description

The newly created custom action with the following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

GET /analytics/custom_actions/interpreters DEPRECATED

Retrieves a list of available custom action interpreters.
Table 2994. GET /analytics/custom_actions/interpreters resource details
MIME Type
application/json

1468 QRadar API Reference Guide

Table 2995. GET /analytics/custom_actions/interpreters request parameter details
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 2996. GET /analytics/custom_actions/interpreters response codes

HTTP Response
Code Unique Code Description
200 The requested list of custom action interpreters have
been retrieved.
500 1020 An internal server error occurred while retrieving
available custom action interpreters.

Response Description

Array of available custom action interpreters, each with the following fields:
v id - Number - Unique ID of the custom action interpreter within the QRadar
deployment.
v name - String - Name of the custom action interpreter.

Response Sample
[
{
"id": 42,
"name": "String"
}
]

Chapter 7. Previous REST API versions 1469

 GET /analytics/custom_actions/interpreters/{interpreter_id}
DEPRECATED
Retrieves a custom action interpreter based on supplied interpreter ID.
Table 2997. GET /analytics/custom_actions/interpreters/{interpreter_id} resource details
MIME Type
application/json

Table 2998. GET /analytics/custom_actions/interpreters/{interpreter_id} request parameter

details
Parameter Type Optionality Data Type MIME Type Description
interpreter_id path Required Number text/plain Number id of custom
(Integer) action interpreter to be
retrieved.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 2999. GET /analytics/custom_actions/interpreters/{interpreter_id} response codes

HTTP Response
Code Unique Code Description
200 - The requested custom action interpreter has been
retrieved.
404 1002 The requested custom action interpreter could not be
found.
500 1020 An internal server error occurred while retrieving
custom action interpreter with supplied
interpreter_id.

Response Description

A custom action interpreter with the following fields:

v id - Number - Unique ID of the custom action interpreter within the QRadar
deployment.
v name - String - Name of the custom action interpreter.

Response Sample
{
"id": 42,
"name": "String"
}

1470 QRadar API Reference Guide

GET /analytics/custom_actions/scripts DEPRECATED
Retrieves a list of meta-data for available custom action script files.
Table 3000. GET /analytics/custom_actions/scripts resource details
MIME Type
application/json

Table 3001. GET /analytics/custom_actions/scripts request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 3002. GET /analytics/custom_actions/scripts response codes

HTTP Response
Code Unique Code Description
200 The requested custom action script file has been
retrieved.
500 1020 An internal server error occurred while retrieving
available custom action script file meta-data.

Response Description

Array of available custom action script file meta-data, each with the following
fields:
v id - Number - Unique ID of the custom action script file within the QRadar
deployment.
v name - String - Name of the custom action script file.

Chapter 7. Previous REST API versions 1471

 Response Sample
[
{
"file_name": "String",
"id": 42
}
]

POST /analytics/custom_actions/scripts DEPRECATED

Creates a new custom action script file. Newly created custom action script files
require a deployment before using.

Newly created custom action script files require a deployment before use. You can
include an optional HTTP header file_name that contains the custom action script
file name. If not specified, the custom action script file name defaults to the script
ID of the uploaded file.
Table 3003. POST /analytics/custom_actions/scripts resource details
MIME Type
application/json

Table 3004. POST /analytics/custom_actions/scripts request parameter details

MIME
Parameter Type Optionality Data Type Type Description
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 3005. POST /analytics/custom_actions/scripts request body details

Parameter Data Type MIME Type Description Sample
file File application/octet- Required. The custom File
stream action script file. Must
be supplied with MIME
type
application/octet-stream.

Table 3006. POST /analytics/custom_actions/scripts response codes

HTTP Response
Code Unique Code Description
201 A custom action script file has been created.
500 1020 An internal server error occurred while posting
custom action script file.

Response Description

Custom action script file meta-data with the following fields:

1472 QRadar API Reference Guide

v id - Number - Unique ID of the custom action script within the QRadar
deployment.
v name - String - Name of the custom action script.

Response Sample
{
"file_name": "String",
"id": 42
}

GET /analytics/custom_actions/actions/{action_id} DEPRECATED

Retrieves a custom action based on the supplied action_id.
Table 3007. GET /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

Table 3008. GET /analytics/custom_actions/actions/{action_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
action_id path Required Number text/plain Long id of the custom
(Integer) action to be retrieved.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 3009. GET /analytics/custom_actions/actions/{action_id} response codes

HTTP Response
Code Unique Code Description
200 The requested custom action has been successfully
retrieved.
404 1002 The requested custom action could not be found.
500 1020 An internal server error occurred while retrieving
custom action with supplied action_id.

Response Description

A custom action with containing following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.

Chapter 7. Previous REST API versions 1473

 v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

POST /analytics/custom_actions/actions/{action_id}
DEPRECATED
Updates an existing custom action.

The custom action must contain the following fields:

v id - Required - Number - Unique ID of the custom action within the QRadar
deployment.
v name - Optional - String - Unique name of the custom action within the QRadar
deployment.
v description - Optional - String - Description of the custom action.
v interpreter - Required - Number - Unique ID of the custom action interpreter
used by the custom action.
v script - Required - Number - Unique ID of the custom action script used by the
custom action.
v parameters - Required - Array - Array of custom action parameters contained
within the custom action. Each Custom action parameter must have the
following fields:
name - Required - String - Name of the custom action parameter. Unique in
the context of the parent custom action.
parameter_type - Optional - String - Custom action parameter type. Can be
either fixed or dynamic.
encrypted - Optional - Boolean - Designates whether the custom action
parameter value field is stored in an encrypted state.True if encrypted, false
otherwise.

1474 QRadar API Reference Guide

 value - Optional - String - Value of the custom action parameter. Custom
action parameters with parameter_type fixed can have any value. Custom
action parameters with parameter_type dynamic must have values
corresponding to column names in an Ariel database, for example sourceip.
Ariel database column names are available through the /api/ariel/databases/
{database_name} endpoint.
Table 3010. POST /analytics/custom_actions/actions/{action_id} resource details
MIME Type
application/json

Table 3011. POST /analytics/custom_actions/actions/{action_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
action_id path Required Number text/plain Number id of the
(Integer) custom action to be
updated.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 3012. POST /analytics/custom_actions/actions/{action_id} request body details

Parameter Data Type MIME Type Description Sample
custom_action Object application/json Custom action JSON { "description":
object which can "String", "id": 42,
contain the supplied "interpreter": 42,
fields (see above for "name": "String",
more details). "parameters": [ {
"encrypted": true,
"name": "String",
"parameter_type":
"String", "value":
"String" } ], "script": 42
}

Table 3013. POST /analytics/custom_actions/actions/{action_id} response codes

HTTP Response
Code Unique Code Description
200 The custom action has been updated.
404 1002 The requested custom action could not be found.
422 1005 One or more parameters are invalid in request.
500 1020 An internal server error occurred while updating
custom action with supplied action_id.

Chapter 7. Previous REST API versions 1475

 Response Description

The updated custom action with the following fields:

v id - Number - Unique ID of the custom action within the QRadar deployment.
v name - String - Unique name of the custom action within the QRadar
deployment.
v description - String - Optional description attached to the custom action.
v interpreter - Number - Unique ID of the custom action interpreter used by the
custom action.
v script - Number - Unique ID of the custom action script used by the custom
action.
v parameters - Array - Array of custom action parameters contained within the
custom action. Each Custom action parameter has the following fields:
name - String - Name of the custom action parameter. Unique in the context
of the parent custom action.
parameter_type - String - Custom action parameter type. Can be either fixed
or dynamic.
encrypted - Boolean - Designates whether the custom action parameter value
field is stored in an encrypted state.True if encrypted, false otherwise.
value - String - Value of the custom action parameter.

Response Sample
{
"description": "String",
"id": 42,
"interpreter": 42,
"name": "String",
"parameters": [
{
"encrypted": true,
"name": "String",
"parameter_type": "String",
"value": "String"
}
],
"script": 42
}

DELETE /analytics/custom_actions/actions/{action_id}
DEPRECATED
Deletes an existing custom action.
Table 3014. DELETE /analytics/custom_actions/actions/{action_id} resource details
MIME Type
text/plain

Table 3015. DELETE /analytics/custom_actions/actions/{action_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
action_id path Required Number text/plain Number id of the
(Integer) custom action you wish
to delete.

1476 QRadar API Reference Guide

Table 3016. DELETE /analytics/custom_actions/actions/{action_id} response codes
HTTP Response
Code Unique Code Description
204 The custom action has been deleted.
404 1002 The requested custom action could not be found.
500 1020 An internal server error occurred while deleting
custom action with supplied action_id.

Response Description

Empty response with 204 successful response code.

Response Sample

GET /analytics/custom_actions/scripts/{script_id} DEPRECATED

Retrieves meta-data of a custom action script file based on supplied script_id.
Table 3017. GET /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Table 3018. GET /analytics/custom_actions/scripts/{script_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
script_id path Required Number text/plain Number id of the
(Integer) custom action script
file.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 3019. GET /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response
Code Unique Code Description
200 The requested custom action script file has been
retrieved.
404 1002 The requested custom action script file could not be
found.
500 1020 An internal server error occurred while retrieving
custom action script file meta-data with supplied
script_id.

Chapter 7. Previous REST API versions 1477

 Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script file within the QRadar
deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

POST /analytics/custom_actions/scripts/{script_id} DEPRECATED

Updates an existing custom action script file. Updated custom action script files
require a deployment before using.

Updated custom action script files require a deployment before use. You can
include an optional HTTP header file_name containing the custom action script file
name. If not specified, the custom action script file name defaults to the script ID
of the uploaded file.
Table 3020. POST /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
application/json

Table 3021. POST /analytics/custom_actions/scripts/{script_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
script_id path Required Number text/plain Number id of the
(Integer) custom action script file
to be updated.
fields header Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 3022. POST /analytics/custom_actions/scripts/{script_id} request body details

Parameter Data Type MIME Type Description Sample
file File application/octet- Required. The custom File
stream action script file. Must
be supplied with MIME
type
application/octet-stream.

1478 QRadar API Reference Guide

Table 3023. POST /analytics/custom_actions/scripts/{script_id} response codes
HTTP Response
Code Unique Code Description
200 The custom action script file has been updated.
404 1002 The requested custom action script file could not be
found.
500 1020 An internal server error occurred while updating
custom action script file with supplied script_id.

Response Description

Custom action script file meta-data with the following fields:

v id - Number - Unique ID of the custom action script file within the QRadar
deployment.
v name - String - Name of the custom action script file.

Response Sample
{
"file_name": "String",
"id": 42
}

DELETE /analytics/custom_actions/scripts/{script_id}
DEPRECATED
Deletes an existing custom action script file.
Table 3024. DELETE /analytics/custom_actions/scripts/{script_id} resource details
MIME Type
text/plain

Table 3025. DELETE /analytics/custom_actions/scripts/{script_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
script_id path Required Number text/plain Number id of the
(Integer) custom action script file
to be deleted.

Table 3026. DELETE /analytics/custom_actions/scripts/{script_id} response codes

HTTP Response
Code Unique Code Description
204 The custom action script file has been deleted.
404 1002 The requested custom action script file could not be
found.
422 1005 The requested custom action script file is tied to an
existing custom action.
500 1020 An internal server error occurred while deleting
custom action script file with supplied script_id.

Chapter 7. Previous REST API versions 1479

 Response Description

Empty response with a 204 successful response code.

Response Sample

Ariel endpoints
Use the references for REST API V5 Ariel endpoints.

GET /ariel/databases DEPRECATED

Retrieve Ariel database names

Retrieve a list of available Ariel databases.

Table 3027. GET /ariel/databases resource details
MIME Type
application/json

Table 3028. GET /ariel/databases request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 3029. GET /ariel/databases response codes

HTTP Response
Code Unique Code Description
200 The database list was retrieved.
500 1020 An error occurred while attempting to retrieve the
list of Ariel databases.

Response Description

The names of the available Ariel databases.

Response Sample
[
"String"
]

GET /ariel/databases/{database_name} DEPRECATED

Retrieve the columns defined for a specific Ariel database.

1480 QRadar API Reference Guide

This is the set of columns that can be explicitly named in the column list of a
SELECT query.
Table 3030. GET /ariel/databases/{database_name} resource details
MIME Type
application/json

Table 3031. GET /ariel/databases/{database_name} request parameter details

Parameter Type Optionality Data Type MIME Type Description
database_name path Required String text/plain Required. The name of
the Ariel database that
contains the columns
that you want to
retrieve.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements that
are returned in the list to
a specified range. The
list is indexed starting at
zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in a
list base on the contents
of various fields.

Table 3032. GET /ariel/databases/{database_name} response codes

HTTP Response
Code Unique Code Description
200 The database columns were retrieved.
404 1002 The database does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
database columns.

Response Description

A list of columns that are defined for the specified database. Multiple properties of
each column are returned. For example, the column name or an indication that the
column is indexable.

Chapter 7. Previous REST API versions 1481

 Response Sample
{
"columns": [
{
"argument_type": "String",
"indexable": true,
"name": "String"
}
]
}

GET /ariel/searches DEPRECATED

Retrieve Ariel search_ids.

Retrieve the list of Ariel searches. This includes search_ids for completed and
active searches.
Table 3033. GET /ariel/searches resource details
MIME Type
application/json

Table 3034. GET /ariel/searches request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

Table 3035. GET /ariel/searches response codes

HTTP Response
Code Unique Code Description
200 The search list was retrieved.
500 1020 An error occurred while attempting to retrieve the
list of searches.

Response Description

A list of search IDs.

Response Sample
[
"String"
]

1482 QRadar API Reference Guide

POST /ariel/searches DEPRECATED
Create a new asynchronous Ariel search

Creates a new Ariel search as specified by the Ariel Query Language (AQL) query
expression. Searches are executed asynchronously. A reference to the search_id is
returned and should be used in subsequent API calls to determine the status of the
search and retrieve the results once it is complete.

This endpoint only accepts SELECT and RUN query expressions.

Queries are applied to the range of data in a certain time interval. By default this
time interval is the last 60 seconds. An alternative time interval can be specified by
specifying them as part of the query expression. For further information, see the
AQL reference.
Table 3036. POST /ariel/searches resource details
MIME Type
application/json

Table 3037. POST /ariel/searches request parameter details

Parameter Type Optionality Data Type MIME Type Description
query_expression query Required String text/plain Required - The AQL
query to execute.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that are
not named are excluded.
Specify subfields in
brackets and multiple
fields in the same object
are separated by
commas.

Table 3038. POST /ariel/searches response codes

HTTP Response
Code Unique Code Description
201 A new Ariel search was successfully created.
409 1004 The search could not be created, the requested
search ID provided in the query_expression is
already in use. Please use a unique search ID (or
allow one to be generated).
422 2000 The query_expression contains invalid AQL syntax.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to create a new
search.

Response Description

Information about the specified search, including the search_id. Use the search_id
to access or manipulate the search with the other API endpoints.

Chapter 7. Previous REST API versions 1483

 If the exact search being created was already recently created, the response
message will return a reference to the original search_id rather than creating a new
search.

Response Sample
{
"compressed_data_file_count": 42,
"compressed_data_total_size": 42,
"cursor_id": "String",
"data_file_count": 42,
"data_total_size": 42,
"desired_retention_time_msec": 42,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"index_file_count": 42,
"index_total_size": 42,
"processed_record_count": 42,
"progress": 42,
"query_execution_time": 42,
"record_count": 42,
"save_results": true,
"search_id": "String",
"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>"
}

GET /ariel/searches/{search_id} DEPRECATED

Retrieve information about an Ariel search

Retrieve status information for a search, based on the search_id parameter. The
same informational fields are returned regardless of whether the search is in
progress or is complete.
Table 3039. GET /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 3040. GET /ariel/searches/{search_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain Required. The identifier
for an Ariel search.

1484 QRadar API Reference Guide

Table 3040. GET /ariel/searches/{search_id} request parameter details (continued)
MIME
Parameter Type Optionality Data Type Type Description
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 3041. GET /ariel/searches/{search_id} response codes

HTTP Response
Code Unique Code Description
200 The search information was retrieved.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
search information.

Response Description

Information about the specified search, including the search status.

Response Sample
{
"compressed_data_file_count": 42,
"compressed_data_total_size": 42,
"cursor_id": "String",
"data_file_count": 42,
"data_total_size": 42,
"desired_retention_time_msec": 42,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"index_file_count": 42,
"index_total_size": 42,
"processed_record_count": 42,
"progress": 42,
"query_execution_time": 42,
"record_count": 42,
"save_results": true,
"search_id": "String",
"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>"
}

Chapter 7. Previous REST API versions 1485

 POST /ariel/searches/{search_id} DEPRECATED
Update an Ariel search.

Update details for an Ariel search. You can update searches in the following ways:
v To cancel an active search, set the status parameter to CANCELED. This stops
the search and keeps any search results that were collected before the search was
canceled.
v The results for a completed search can be saved by setting the save_results
parameter to true. This ensures that the search is not automatically removed
when it expires in accordance with the retention policy.

The Ariel server uses an internal retention policy to manage available disk space.
Searches might be deleted automatically, according to the settings of the retention
policy. Searches with saved results are not automatically reclaimed by the server
and are therefore retained. A search can be explicitly deleted by using the DELETE
/searches/{search_id} endpoint.

Note: Saving too many search results might result in insufficient disk space to
process new searches.
Table 3042. POST /ariel/searches/{search_id} resource details
MIME Type
application/json

Table 3043. POST /ariel/searches/{search_id} request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain Required. The ID of the
search to update.
save_results query Optional String text/plain Optional. The only
accepted value is true.
If this value is
provided, the search
results will not be
deleted by the search
expiration removal
process.
status query Optional String text/plain Optional. The only
accepted value is
CANCELED. If this
value is provided, the
search will be canceled.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

1486 QRadar API Reference Guide

Table 3044. POST /ariel/searches/{search_id} response codes
HTTP Response
Code Unique Code Description
200 The search was updated.
404 1002 The search does not exist.
409 1008 The current status of the search prevented the search
results from being saved.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to update the
search.

Response Description

Information about the specified search that was updated.

Response Sample
{
"compressed_data_file_count": 42,
"compressed_data_total_size": 42,
"cursor_id": "String",
"data_file_count": 42,
"data_total_size": 42,
"desired_retention_time_msec": 42,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"index_file_count": 42,
"index_total_size": 42,
"processed_record_count": 42,
"progress": 42,
"query_execution_time": 42,
"record_count": 42,
"save_results": true,
"search_id": "String",
"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>"
}

DELETE /ariel/searches/{search_id} DEPRECATED

Delete an Ariel search

Deletes an Ariel search. This discards any results that were collected and stops the
search if it is currently processing. This search is deleted regardless of whether the
results were saved.
Table 3045. DELETE /ariel/searches/{search_id} resource details
MIME Type
application/json

Chapter 7. Previous REST API versions 1487

 Table 3046. DELETE /ariel/searches/{search_id} request parameter details
MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain Required - The
search_id of the search
to delete.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.

Table 3047. DELETE /ariel/searches/{search_id} response codes

HTTP Response
Code Unique Code Description
202 The delete request has been accepted.
404 1002 The search does not exist.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to delete the
search.

Response Description

Information about the deleted search

Response Sample
{
"compressed_data_file_count": 42,
"compressed_data_total_size": 42,
"cursor_id": "String",
"data_file_count": 42,
"data_total_size": 42,
"desired_retention_time_msec": 42,
"error_messages": [
{
"code": "String",
"contexts": [
"String"
],
"message": "String",
"severity": "String <one of: INFO, WARN, ERROR>"
}
],
"index_file_count": 42,
"index_total_size": 42,
"processed_record_count": 42,
"progress": 42,
"query_execution_time": 42,
"record_count": 42,

1488 QRadar API Reference Guide

 "save_results": true,
"search_id": "String",
"status": "String <one of: WAIT, EXECUTE, SORTING, COMPLETED, CANCELED, ERROR>"
}

GET /ariel/searches/{search_id}/results DEPRECATED

Retrieves search results in the requested format.

Retrieve the results of the Ariel search that is identified by the search_id. The
Accepts request header indicates the format of the result. The format can be JSON,
CSV, XML, or tabular text.

By default, all query result records are returned. To restrict the results to a
contiguous subset of the records, you can supply a Range header to specify the
inclusive range of records to be returned.

This end-point works with query results that are generated by AQL query
expressions. This endpoint might not work as expected for results that are
generated by other means. Search results might not be retrievable for searches that
are created on the Console.

The response samples are for the following query: Select sourceIP, destinationIP
from events.
Table 3048. GET /ariel/searches/{search_id}/results resource details
MIME Type
application/json application/csv text/table application/xml

Table 3049. GET /ariel/searches/{search_id}/results request parameter details

MIME
Parameter Type Optionality Data Type Type Description
search_id path Required String text/plain The ID of the search
criteria for the returned
results.
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.

Table 3050. GET /ariel/searches/{search_id}/results response codes

HTTP Response
Code Unique Code Description
200 The search results were retrieved.
404 1002 The search does not exist.
404 1003 Search results not found. The search is still in
progress.
422 1005 A request parameter is not valid.
500 1020 An error occurred while attempting to retrieve the
search results.

Chapter 7. Previous REST API versions 1489

 Response Description

The search results for the specified search_id. The format that is used to
encapsulate the data depends on the format specified in the Accept header for this
request.

Response Sample
{
"events": [
{
"sourceIP": "1.1.1.1",
"destinationIP": "127.0.0.1"
},
{
"sourceIP": "1.1.1.1",
"destinationIP": "127.0.0.1"
}
]
}

Asset model endpoints

Use the references for REST API V5 Asset Model endpoints.

GET /asset_model/assets DEPRECATED

List all assets found in the model.
Table 3051. GET /asset_model/assets resource details
MIME Type
application/json

Table 3052. GET /asset_model/assets request parameter details

MIME
Parameter Type Optionality Data Type Type Description
Range header Optional String text/plain Optional - Use this
parameter to restrict the
number of elements
that are returned in the
list to a specified range.
The list is indexed
starting at zero.
fields query Optional String text/plain Optional - Use this
parameter to specify
which fields you would
like to get back in the
response. Fields that
are not named are
excluded. Specify
subfields in brackets
and multiple fields in
the same object are
separated by commas.
filter query Optional String text/plain Optional - This
parameter is used to
restrict the elements in
a list base on the
contents of various
fields.

1490 QRadar API Reference Guide

Table 3053. GET /asset_model/assets response codes
HTTP Response
Code Unique Code Description
200 The request to retrieve assets completed successfully.
500 1020 The server encountered an error while trying to
retrieve the assets.

Response Description

List of assets retrieved using the associated asset saved search.

Response Sample
[{"id": 42,
"domain_id": 42,
"interfaces": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler": 42,
"created": 42,
"last_seen_profiler": 42,
"last_seen_scanner": 42,
"mac_address": "String",
"ip_addresses": [{"first_seen_scanner": 42,
"id": 42,
"first_seen_profiler"