How To
Summary
This article provides a way to use the QRadar API to find the group name associated with a custom rule.
Steps
Getting the rule group name associated with a rule, is a two-step process.
I. Get rule_id of a particular rule by using GET - /analytics/rules API.
II. Using rule_id retrieve group name.
Step I: Get the rule_id for the rule
- In the analytics group, refer to the rules API:
- In the parameters of the API, provide the following values:
Parameters:- fields: This parameter is to specify which fields you would like to get back in the response. Here we are looking for "id" field associated with a rule.
- filter: Here specify "name = <Rule_name>".
- Range: This parameter is to restrict the number of elements that are returned in the list to a specified range
NOTE: More details about each parameter are provided on the GUI in the API parameters section.
- Click the "Try it Out!" button. The successful API response, retrieves a rule_id as shown here:
- Curl equivalent command of corresponding API is available on GUI under cURL section:
curl -S -X GET -u admin -H 'Range: items=0-49' -H 'Version: 19.0' -H 'Accept: application/json' 'https://<CONSOLE IP/FQDN>/api/analytics/rules?fields=id&filter=name%20%3D%20%22Possible%20Local%20IRC%20Server%22'
Step II: Get the rule group name associated with a rule id
- In the analytics group refer rule_groups api:
- In the parameter sections, enter following values:
Parameters:- fields: This parameter is to specify which fields you would like to get back in the response. Here we are looking for "name" field of group associated with a rule.
- filter: Here specify "child_items contains <Rule_id>". This ID is retrieved in the previous step.
- Range: This parameter is to restrict the number of elements that are returned in the list to a specified range
NOTE: More details about each parameter are provided on the GUI in the API parameters section.
- Click "Try it Out!" button. The successful API response, retrieves rule group names associated with rule as shown here:
Here the rule in query is part of two groups "Compliance" & "Threats".
- Curl equivalent command of corresponding API is available on GUI under cURL section:
curl -S -X GET -u admin -H 'Range: items=0-5' -H 'Version: 19.0' -H 'Accept: application/json' 'https://<CONSOLE IP/FQDN>/api/analytics/rule_groups?fields=name&filter=child_items%20contains%20100241'
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtrAAA","label":"Rules"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.4.3;and future releases"}]
Was this topic helpful?
Document Information
Modified date:
10 January 2023
UID
ibm16621991