How To
Summary
This article covers the interaction of QRadar EDR (formerly ReaQta) Hive API with the generated alerts.
Steps
GET - /1/alerts
This API is used to retrieve all alerts generated in ReaQta Hive.
- Request URL: GET https://<Hive Server URL>/rqt-api/1/alerts
- Parameters:
Name Type DataType Description Available values id query array[string] The IDs of the alerts to be retrieved endpointId query array[string] The list of endpoint IDs where the alert was generated triggerCondition query array[number] Trigger condition of the alert0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 130 = Code Injection, 1 = Process Impersonated, 2 = Signature Forged, 3 = Incident Correlated, 4 = DLL Sideloaded, 5 = Suspicious Script Executed, 6 = Policies Triggered,7 = Anomalous Behavior Detected,8 = Token Stolen, 9 = Ransomware Behavior Detected, 10 = Privilege Escalated, 11 = External Trigger, 12 = Detection Strategy, 13 = Antimalware Detectiontag query array[string] tags for the alerts activityState query string Activity State of the alert active, idle, inactive, archived severity query array[string] Severity of the alert safe, low, medium, high status query array[string] Status of the alert malicious, benign, none happenedAfter query string The alert happened after the provided date happenedBefore query string The alert happened before the provided date receivedAfter query string The alert was received by the backend after the provided date receivedBefore query string The alert was received by the backend before the provided date closedAfter query string The alert was closed after the provided date closedBefore query string The alert was closed before the provided date country query array[string] The country to which connection events of the alert is present sortBy query string A list of sort parameters.
Default is "happenedAt" descending. Possible values are "happenedAt", "receivedAt", "impact", and "severity"(case-sensitive). The value can be followed by ":asc" or ":desc" for ascending and descending order respectively. If this parameter is missing, sort order is ascending. Multiple values are allowed, they must be separated by "," , but each value must be present at most once
Example:
happenedAt:desc,receivedAt,impact:descgid query array[string] A list of group IDs to which the endpoint on which the alert was generated belongs count query number($double) The number of alerts to return in a single page lastSeenId query string If present, it automatically sorts alerts by id in ascending order and returns those with an id strictly greater than the provided one.
NOTE: this parameter cannot be specified along with sortBy, API returns 400 in that case- Using endpointId parameter: You can use endpointId parameter with alerts API to retrieve alerts related to a particular endpoint.
GET https://<Hive Server URL>/rqt-api/1/alerts?endpointid=<Enter endpointId here>
- Note: You can retrieve endpointId of an endpoint from result of GET /1/alerts API call. Similarly, all the parameters can be retrieved.
- Using endpointId parameter: You can use endpointId parameter with alerts API to retrieve alerts related to a particular endpoint.
- Request Body: None
- Header: Make sure to provide ContentType and Authorization header.
-
ContentType: application/json
-
Authorization: Bearer <token>
Note: Token is generated during the authentication of API client. Find more information regarding it from ReaQta: Authentication of API client.
-
- Response: You receive following response codes according to your success or failure of your API request.
Status Code Description Example Response Value 200 List of matching alerts { "result": [ { "id": "string", "localId": "string", "endpointId": "string", "triggerCondition": "0", "endpoint": { "id": "string", "machineId": "string", "osType": "0", "cpuVendor": "0", "arch": "0", "cpuDescr": "string", "kernel": "string", "os": "string", "name": "string", "domain": "string", "state": "0", "registrationTime": "string", "deregistrationTime": "string", "agentVersion": "string", "componentsVersions": [ { "name": "string", "version": "string", "build": "string" } ], "isVirtualMachine": true, "isDomainController": true, "isServer": true, "sessionStart": "string", "sessionEnd": "string", "lastSeenAt": "string", "disconnectionReason": "0", "localAddr": "string", "hvStatus": 0, "macs": [ "string" ], "isolated": true, "connected": true, "tags": [ "string" ], "groups": [ { "id": "string", "name": "string", "description": "string", "parentGroupId": "string" } ], "avInstalled": true, "avOnline": true, "avDbLatestUpdateTime": 0, "avDbSignaturesNum": 0, "avAgentVersion": "string" }, "triggerEvents": [ { "id": "string", "category": "info", "localId": "string", "endpointId": "string", "receivedAt": "string", "happenedAt": "string", "relevance": 0, "severity": "none", "trigger": true, "manuallyAdded": true, "process": { "id": "string", "parentId": "string", "endpointId": "string", "program": { "path": "string", "filename": "string", "md5": "string", "sha1": "string", "sha256": "string", "certInfo": { "signer": "string", "issuer": "string", "trusted": true, "expired": true }, "size": 0, "arch": "string", "fsName": "string" }, "user": "string", "pid": 0, "startTime": "string", "ppid": 0, "pstartTime": "string", "userSID": "string", "privilegeLevel": "string", "noGui": true, "logonId": "string" }, "eventType": 0, "data": { "additionalProp1": "string", "additionalProp2": "string", "additionalProp3": "string" } } ], "totalEventCount": 0, "byTypeEventCount": [ { "type": 0, "count": 0 } ], "impact": 0, "severity": "safe", "closed": true, "closedAt": "string", "activityState": "active", "terminationReason": "0", "receivedAt": "string", "happenedAt": "string", "tags": [ "string" ], "notes": "string", "endpointState": { "osType": "0", "cpuVendor": "0", "arch": "0", "cpuDescr": "string", "kernel": "string", "os": "string", "hvStatus": 0, "name": "string", "domain": "string", "isolated": true, "localAddr": "string", "macs": [ "string" ], "componentsVersions": [ { "name": "string", "version": "string", "build": "string" } ], "endpointVersion": "string", "tags": [ "string" ], "groups": [ { "id": "string", "name": "string", "description": "string", "parentGroupId": "string" } ] }, "alertStatus": "malicious", "title": "string" } ], "nextPage": "string", "remainingItems": 0 }
GET - /1/alert/{alertID}
This API is used to retrieve details of a particular alert.
- Request URL: GET https://<Hive Server URL>/rqt-api/1/alerts/<alertID>
Note: You can get the alertID by the API call for retrieving all alerts.
- Request Body: None
- ContentType and Authorization header.
-
ContentType: application/json
-
Authorization: Bearer <token>
Note: Token is generated during the authentication of API client. Find more information regarding it from ReaQta: Authentication of API client.
Header: Make sure to provide -
- Responses: You receive following response codes according to your success or failure of your API request.
Status Code Description Example Response Value 200 OK { "id": "string", "localId": "string", "endpointId": "string", "triggerCondition": "0", "endpoint": { "id": "string", "machineId": "string", "osType": "0", "cpuVendor": "0", "arch": "0", "cpuDescr": "string", "kernel": "string", "os": "string", "name": "string", "domain": "string", "state": "0", "registrationTime": "string", "deregistrationTime": "string", "agentVersion": "string", "componentsVersions": [ { "name": "string", "version": "string", "build": "string" } ], "isVirtualMachine": true, "isDomainController": true, "isServer": true, "sessionStart": "string", "sessionEnd": "string", "lastSeenAt": "string", "disconnectionReason": "0", "localAddr": "string", "hvStatus": 0, "macs": [ "string" ], "isolated": true, "connected": true, "tags": [ "string" ], "groups": [ { "id": "string", "name": "string", "description": "string", "parentGroupId": "string" } ], "avInstalled": true, "avOnline": true, "avDbLatestUpdateTime": 0, "avDbSignaturesNum": 0, "avAgentVersion": "string" }, "triggerEvents": [ { "id": "string", "category": "info", "localId": "string", "endpointId": "string", "receivedAt": "string", "happenedAt": "string", "relevance": 0, "severity": "none", "trigger": true, "manuallyAdded": true, "process": { "id": "string", "parentId": "string", "endpointId": "string", "program": { "path": "string", "filename": "string", "md5": "string", "sha1": "string", "sha256": "string", "certInfo": { "signer": "string", "issuer": "string", "trusted": true, "expired": true }, "size": 0, "arch": "string", "fsName": "string" }, "user": "string", "pid": 0, "startTime": "string", "ppid": 0, "pstartTime": "string", "userSID": "string", "privilegeLevel": "string", "noGui": true, "logonId": "string" }, "eventType": 0, "data": { "additionalProp1": "string", "additionalProp2": "string", "additionalProp3": "string" } } ], "totalEventCount": 0, "byTypeEventCount": [ { "type": 0, "count": 0 } ], "impact": 0, "severity": "safe", "closed": true, "closedAt": "string", "activityState": "active", "terminationReason": "0", "receivedAt": "string", "happenedAt": "string", "tags": [ "string" ], "notes": "string", "endpointState": { "osType": "0", "cpuVendor": "0", "arch": "0", "cpuDescr": "string", "kernel": "string", "os": "string", "hvStatus": 0, "name": "string", "domain": "string", "isolated": true, "localAddr": "string", "macs": [ "string" ], "componentsVersions": [ { "name": "string", "version": "string", "build": "string" } ], "endpointVersion": "string", "tags": [ "string" ], "groups": [ { "id": "string", "name": "string", "description": "string", "parentGroupId": "string" } ] }, "alertStatus": "malicious", "title": "string" }
404 alert was not found { "message": "Alert not found", "details": { "additionalProp1": "string", "additionalProp2": "string", "additionalProp3": "string" } }
POST - /1/alert/{alertID}/close
This API is used to close an existing alert.
- Request URL: POST https://<Hive Server URL>/rqt-api/1/
alert/<alertID>/close
- Parameters:
Name Type DataType Description malicious query boolean If present, it closes the alert and marks it as malicious.Note: If the alert is already closed, you can use themalicious
parameter to reclassify the alert. - Request Body: None
- Header: Make sure to provide ContentType and Authorization header.
-
ContentType: application/json
-
Authorization: Bearer <token>
Note: Token is generated during the authentication of API client. Find more information regarding it from ReaQta: Authentication of API client.
-
- Responses: You receive following response codes according to your success or failure of your API request.
Status Code Description Example Response Value 200 OK { "alertId": "string", "closed": true, "malicious": true }
404 Alert not found { "message": "Alert not found", "details": { "additionalProp1": "string", "additionalProp2": "string", "additionalProp3": "string" } }
GET - /1/alert/local/{alertLocalID}/endpoint/{endpointID}
This API is used to retrieve details of an alert using LocalID generated by associated endpoint.
- Request URL: GET https://<Hive Server URL>/rqt-api/1/alert/local/{alertLocalID}/endpoint/{endpointID}
- Request Body: None
- Header: Make sure to provide ContentType and Authorization header.
-
ContentType: application/json
-
Authorization: Bearer <token>
Note: Token is generated during the authentication of API client. Find more information regarding it from ReaQta: Authentication of API client.
-
- Responses: You receive following responses according to the success and failure of your API request.
Status Code Description Example response value 200 OK { "id": "string", "localId": "string", "endpointId": "string", "triggerCondition": "0", "endpoint": { "id": "string", "machineId": "string", "osType": "0", "cpuVendor": "0", "arch": "0", "cpuDescr": "string", "kernel": "string", "os": "string", "name": "string", "domain": "string", "state": "0", "registrationTime": "string", "deregistrationTime": "string", "agentVersion": "string", "componentsVersions": [ { "name": "string", "version": "string", "build": "string" } ], "isVirtualMachine": true, "isDomainController": true, "isServer": true, "sessionStart": "string", "sessionEnd": "string", "lastSeenAt": "string", "disconnectionReason": "0", "localAddr": "string", "hvStatus": 0, "macs": [ "string" ], "isolated": true, "connected": true, "tags": [ "string" ], "groups": [ { "id": "string", "name": "string", "description": "string", "parentGroupId": "string" } ], "avInstalled": true, "avOnline": true, "avDbLatestUpdateTime": 0, "avDbSignaturesNum": 0, "avAgentVersion": "string" }, "triggerEvents": [ { "id": "string", "category": "info", "localId": "string", "endpointId": "string", "receivedAt": "string", "happenedAt": "string", "relevance": 0, "severity": "none", "trigger": true, "manuallyAdded": true, "process": { "id": "string", "parentId": "string", "endpointId": "string", "program": { "path": "string", "filename": "string", "md5": "string", "sha1": "string", "sha256": "string", "certInfo": { "signer": "string", "issuer": "string", "trusted": true, "expired": true }, "size": 0, "arch": "string", "fsName": "string" }, "user": "string", "pid": 0, "startTime": "string", "ppid": 0, "pstartTime": "string", "userSID": "string", "privilegeLevel": "string", "noGui": true, "logonId": "string" }, "eventType": 0, "data": { "additionalProp1": "string", "additionalProp2": "string", "additionalProp3": "string" } } ], "totalEventCount": 0, "byTypeEventCount": [ { "type": 0, "count": 0 } ], "impact": 0, "severity": "safe", "closed": true, "closedAt": "string", "activityState": "active", "terminationReason": "0", "receivedAt": "string", "happenedAt": "string", "tags": [ "string" ], "notes": "string", "endpointState": { "osType": "0", "cpuVendor": "0", "arch": "0", "cpuDescr": "string", "kernel": "string", "os": "string", "hvStatus": 0, "name": "string", "domain": "string", "isolated": true, "localAddr": "string", "macs": [ "string" ], "componentsVersions": [ { "name": "string", "version": "string", "build": "string" } ], "endpointVersion": "string", "tags": [ "string" ], "groups": [ { "id": "string", "name": "string", "description": "string", "parentGroupId": "string" } ] }, "alertStatus": "malicious", "title": "string" }
404 The alert was not found { "message": "Alert not found", "details": { "additionalProp1": "string", "additionalProp2": "string", "additionalProp3": "string" } }
Additional Information
Example:
Using Alert API to retrieve all active High Severity alert:
- Request URL: GET https://<Hive Server URL>/rqt-api/1/alerts?activityState=active&severity=high
- Parameters used:
Key Value activityState active severity high - Code Snippet:
curl --location --request GET 'https://<Hive Server URL>/rqt-api/1/alerts?activityState=active&severity=high' \ --header 'ContentType: application/json' \ --header 'Authorization: Bearer <Enter the Token generated from API Authentication>' \ --header 'Content-Type: application/json' \ --data-raw '{ "secret": "<Enter the Secret Key String of the API Client>", "id": "<Enter the Application ID of API Client>" }'
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSVOEH","label":"IBM Security ReaQta"},"ARM Category":[{"code":"a8m3p000000hBSaAAM","label":"Configuration"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Product Synonym
ReaQta
Was this topic helpful?
Document Information
Modified date:
17 May 2023
UID
ibm16571225