How To
Summary
This article explains how to close offenses from the QRadar API.
Steps
Before you begin
Find the offense ID for the offense you want to close. It can be found in QRadar in the Offenses section, under the All Offenses table.
Steps
- Open the Interactive API for Developers by using the URL https://<QRadar_Console_IP>/api_doc with your console's IP address.
- Go to siem, then select offense_closing_reasons:
- In the right pane, scroll down until the Try It Out! button is visible, then click it:
- Find the id for the closure reason you want to use when you close your offense and take a note of it:
- Go to siem. Select offenses and then {offense_id}:
- Ensure the action is set to POST:
- In the right pane, scroll down until the Parameters box is visible, then add the following:
- To the offense_id text box, add the offense to be closed.
Note: The offense ID can be found in QRadar in the Offenses section, under the All Offenses table. - To the closing_reason_id, add the closing reason ID you recorded earlier.
- To the status text box, add the text CLOSED.
This is an example of the curl command it might generate:curl -S -X POST -u admin -H 'Version: 17.0' -H 'Accept: application/json' 'https://<QRadar_Console_URL/api/siem/offenses/100?closing_reason_id=2&status=CLOSED'
- To the offense_id text box, add the offense to be closed.
- Click Try It Out! to execute the curl.
Result
The API returns a successful response code of 200 and the offense is closed. If it returns an error, check your parameters and try again.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwthAAA","label":"Offenses"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
29 March 2023
UID
ibm16965488