Creating reference data collections with the APIs

You can use the application program interface (API) to manage IBM® QRadar® reference data collections.

Procedure

  1. Use a web browser to access https://<Console IP>/api_doc and log in as the administrator.
  2. Select the latest iteration of the IBM QRadar API.
  3. Select the /reference_data directory.
  4. To create a new reference set, follow these steps:
    1. Select /sets.
    2. Click POST and enter the relevant information in the Value fields.
      Learn more about the parameters to create a reference set:

      The following table provides information about the parameters that are required to create a reference set:

      Table 1. Parameters - Reference Set
      Parameter Type Value Data Type MIME Type Sample
      element_type query (required) String text/plain String <one of: ALN, NUM, IP, PORT, ALNIC, DATE, CIDR>
      name query (required) String text/plain String
      fields query (optional) String text/plain field_one (field_two, field_three), field_four
      time_to_live query (optional) String text/plain String
      timeout_type query (optional) String text/plain String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>
    3. Click Try It Out! to finish creating the reference data collection and to view the results.
  5. To create a new reference map, follow these steps:
    1. Click /maps.
    2. Click POST and enter the relevant information in the Value fields.
      Learn more about the parameters to create a reference map:

      The following table provides information about the parameters that are required to create a reference map:

      Table 2. Parameters - Reference Map
      Parameter Type Value Data Type MIME Type Sample
      element_type query (required) String text/plain String <one of: ALN, NUM, IP, PORT, ALNIC, DATE, CIDR>
      name query (required) String text/plain String
      fields query (optional) String text/plain field_one (field_two, field_three), field_four
      key_label query (optional) String text/plain String
      time_to_live query (optional) String text/plain String
      timeout_type query (optional) String text/plain String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>
      value_label query (optional) String text/plain String
    3. Click Try It Out! to finish creating the reference data collection and to view the results.
  6. To create a new reference map of sets, follow these steps:
    1. Select /map_of_sets.
    2. Click POST and enter the relevant information in the Value fields.
      Learn more about the parameters to create a reference map of sets:

      The following table provides information about the parameters that are required to create a reference map of sets:

      Table 3. Parameters - Reference Map of Sets
      Parameter Type Value Data Type MIME Type Sample
      element_type query (required) String text/plain String <one of: ALN, NUM, IP, PORT, ALNIC, DATE, CIDR>
      name query (required) String text/plain String
      fields query (optional) String text/plain field_one (field_two, field_three), field_four
      key_label query (optional) String text/plain String
      time_to_live query (optional) String text/plain String
      timeout_type query (optional) String text/plain String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>
      value_label query (optional) String text/plain String
    3. Click Try It Out! to finish creating the reference data collection and to view the results.
  7. To create a new reference table or map of maps, follow these steps:
    1. Click /tables.
    2. Click POST and enter the relevant information in the Value fields.
      Learn more about the parameters to create a reference table or a map of maps:

      The following table provides information about the parameters that are required to create a reference table or a map of maps:

      Table 4. Parameters - Reference Table
      Parameter Type Value Data Type MIME Type Sample
      element_type query (required) String text/plain String <one of: ALN, NUM, IP, PORT, ALNIC, DATE, CIDR>
      name query (required) String text/plain String
      fields query (optional) String text/plain field_one (field_two, field_three), field_four
      key_name_types query (optional) Array application/json [ { "element_type": "String <one of: ALN, NUM, IP, PORT, ALNIC, DATE, CIDR>", "key_name": "String" }]
      outer_key_label query (optional) String text/plain String
      time_to_live query (optional) String text/plain String
      timeout_type query (optional) String text/plain String <one of: UNKNOWN, FIRST_SEEN, LAST_SEEN>
    3. Click Try It Out! to finish creating the reference data collection and to view the results.