IBM Support

QRadar: How to get the rule group name associated with a rule via the API?

How To


Summary

This article provides a way to use the QRadar API to find the group name associated with a custom rule.

Steps

Getting the rule group name associated with a rule, is a two-step process.
I.  Get rule_id of a particular rule by using  GET - /analytics/rules API.
II. Using rule_id retrieve group name.
Step I: Get the rule_id for the rule
  1. In the analytics group, refer to the rules API:

    image-20220921162843-1
     
  2. In the parameters of the API, provide the following values:image-20220921163923-2

    Parameters:
    • fields: This parameter is to specify which fields you would like to get back in the response. Here we are looking for "id" field associated with a rule.
    • filter: Here specify "name = <Rule_name>".
    • Range: This parameter is to restrict the number of elements that are returned in the list to a specified range

      NOTE: More details about each parameter are provided on the GUI in the API parameters section.

       
  3. Click the "Try it Out!" button. The successful API response, retrieves a rule_id as shown here:

    image-20220921164616-3
  4. Curl equivalent command of corresponding API is available on GUI under cURL section:
      
    curl -S -X GET -u admin -H 'Range: items=0-49' -H 'Version: 19.0' -H 'Accept: application/json' 'https://<CONSOLE IP/FQDN>/api/analytics/rules?fields=id&filter=name%20%3D%20%22Possible%20Local%20IRC%20Server%22'
Step II: Get the rule group name associated with a rule id
  1. In the analytics group refer rule_groups api:

    image-20220921165645-5
  2. In the parameter sections, enter following values:

    image-20220921170223-6

    Parameters:
    • fields: This parameter is to specify which fields you would like to get back in the response. Here we are looking for "name" field of group associated with a rule.
    • filter: Here specify "child_items contains <Rule_id>". This ID is retrieved in the previous step.
    • Range: This parameter is to restrict the number of elements that are returned in the list to a specified range

      NOTE: More details about each parameter are provided on the GUI in the API parameters section.
       
  3. Click "Try it Out!" button. The successful API response, retrieves rule group names associated with rule as shown here:

    image-20220921170605-7
    Here the rule in query is part of two groups "Compliance" & "Threats".
     
  4. Curl equivalent command of corresponding API is available on GUI under cURL section:
      
    curl -S -X GET -u admin -H 'Range: items=0-5' -H 'Version: 19.0' -H 'Accept: application/json' 'https://<CONSOLE IP/FQDN>/api/analytics/rule_groups?fields=name&filter=child_items%20contains%20100241'

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.3;and future releases"}]

Document Information

Modified date:
10 January 2023

UID

ibm16621991

Page Feedback